Naval  Research  Laboratory 

Washington,  DC  20375-5320 


NRL/FR/5540--00-9950 


Visual  NRM  User's  Manual: 
Tools  for  Applying  the  Network 
Rating  Methodology 


Andrew  Moore 

Center  for  High  Assurance  Computer  Systems 
Information  Technology  Division 


Beth  Strohmayer 
ITT  Industries 

Advanced  Engineering  and  Sciences  Division 
Alexandria,  VA 


May  31,  2000 


20000620  100 

Approved  for  public  release;  distribution  is  unlimited. 


OTIC  QUALITY  INSPECTED  4 


REPORT  DOCUMENTATION  PAGE 

Form  Approved 

OMBNo.  0704-0188 

Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources, 
gathering  and  maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this 
collection  of  information,  including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson 
Davis  Highway,  Suite  1204,  Arlington,  VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188),  Washington,  DC  20503. 

1 .  AGENCY  USE  ONLY  ( Leave  Blank) 

2.  REPORT  DATE 

3.  REPORTTYPEAND  DATES  COVERED 

May  31,2000 

5/99-9/99 

4.  TITLE  AND  SUBTITLE 

5.  FUNDING  NUMBERS 

Visual  NRM  User’s  Manual:  Tools  for  Applying  the  Network  Rating  Methodology 

6.  AUTHOR(S) 

Andrew  R  Moore  and  Beth  Strohmayer* 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 

Naval  Research  Laboratory 
Washington,  DC  20375-5320 

NRL/FR/5540-00-9950 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSORING/MONITORING 
AGENCY  REPORT  NUMBER 

National  Security  Agency 

Ft.  Meade,  MD  20775 

11.  SUPPLEMENTARY  NOTES 

*ITT  Industries 

12a.  DISTRIBUTION/AVAILABILITY  STATEMENT 

12b.  DISTRIBUTION  CODE 

Approved  for  public  release;  distribution  is  unlimited. 

13.  ABSTRACT  (Maximum  200  words ) 

Visual  NRM  is  a  toolset  and  language  for  developing  and  evaluating  a  map  of  an  argument  that  mission-critical  information  is 
adequately  protected  by  a  system  in  its  larger  operational  environment.  Visual  NRM  provides  a  graphical  extension  and  automated 
support  for  applying  DoD’s  Network  Rating  Methodology  (NRM).  This  report  is  a  manual  for  using  the  Visual  NRM  toolset. 

14.  SUBJECT  TERMS 

15.  NUMBER  OF  PAGES 

Vulnerability  analysis 
Assurance  argument 

Information  security 
Information  assurance 

52 

16.  PRICE  CODE 

17.  SECURITY  CLASSIFICATION 

OF  REPORT 

18.  SECURITY  CLASSIFICATION 

OF  THIS  PAGE 

19.  SECURITY  CLASSIFICATION 

OF  ABSTRACT 

20.  LIMITATION  OF  ABSTRACT 

UNCLASSIFIED 

UNCLASSIFIED 

UNCLASSIFIED 

UL 

NSN  7540-01-280-5500 


1 


Standard  Form  298  (Rev.  2-89) 
Prescribed  by  ANSI  Std  239-18 
298-102 


CONTENTS 


1.  INTRODUCTION . 1 

1.1.  Security  Analysis . 1 

1.2.  Visual  NRM  Maps . 3 

1.3.  Visual  NRM  Tool  Architecture . 4 

1.4.  Installing  Visual  NRM . 5 

1.4.1.  System  Requirements . 5 

1 .4.2.  Instructions  for  Installation . 6 

1.4.3.  Starting  Visual  NRM . 7 

1 .4.4.  Installation  Trouble  Shooting . 7 

1.4.5.  Uninstalling  Visual  NRM . 7 

1.5.  Structure  and  Terminology  of  this  Manual . 8 

2.  TUTORIAL . 8 

2.1.  Start  Visual  NRM . 8 

2.2.  Establish  a  Visual  NRM  Project . 8 

2.3.  Define  the  Downgrader  Problem . 10 

2.3.1.  Name  the  Page . 10 

2.3.2.  Add  Shapes  to  the  Page . 10 

2.3.3.  Connect  and  Label  Shapes . 12 

2.3.4.  Format  Shapes  on  Page  and  Pages  in  Window . 13 

2.3.5.  Build  a  Contextual  Model . 13 

2.4.  Refine  the  Argument  Map . 14 

2.4.1.  Add  a  New  Document . 15 

2.4.2.  Expand  Refinement  to  New  Document . 15 

2.4.3.  Create  Validation  Links . 16 

2.4.4.  Construct  a  Virtual  Desktop . 16 

2.4.5.  Exit  VNRM  Designer . 17 

2.5.  Document  the  Argument  Map . 18 

2.5.1.  Add  the  Documentor  Document . 18 

2.5.2.  Import  the  Argument  Map . 19 

2.5.3.  Insert  the  Dictionary . 21 

3.  VNRM  EXPLORER . 21 

3.1.  File  Menu . 23 

3.1.1.  New . 23 

3.1.2.  Delete . 24 

3.1.3.  Properties . 24 

3.1.4.  Set  Root  Page . 24 

3.1.5.  Print . 24 

3.1.6.  Exit . 24 

3.2.  Edit  Menu . 24 

3.2.1.  Undo . 24 

3.2.2.  Cut . 24 


111 


3.2.3.  Copy . 25 

3.2.4.  Paste . 25 

3.2.5.  Find . 25 

3.2.6.  Format  Menu . 25 

3.3.  View  Menu . 25 

3.3.1.  Toolbar/Status  Bar . 25 

3.3.2.  Small/Large  Icons . 25 

3.3.3.  Go  Back  Leaf  Node/Go  Forward  Leaf  Node . 26 

3.3.4.  Show  Brief/Long  Descriptions . 26 

3.5.5.  Refresh . 26 

3.3.6.  Options . 26 

3.4.  Tools  Menu . 26 

3.4.1.  VNRM  Designer . 26 

3.4.2.  VNRM  Desktops . 26 

3.4.3.  VNRM  Dictionary . 27 

3.4.4.  VNRM  Documentor . 27 

3.4.5.  World  Wide  Web  Menu . 27 

3.5.  Help  Menu . 28 

3.5.1.  User  Guide . 28 

3.5.2.  Search  For  Help  On . 28 

3.5.3.  About  VNRM  Explorer . 28 

4.  VNRM  DESIGNER . 28 

4.1.  Designer  Menu . 29 

4.1.1.  Save  All . 29 

4.1.2.  View  Spine  (Blue  Eye) . 29 

4.1.3.  View  Flesh  (Green  Eye) . 20 

4.1.4.  View  V alidation  (Red  Eye) . 30 

4.1.5.  Label  Shapes . 30 

4.1.6.  Add  Hyperlink . 30 

4.1.7.  Deselect  All . 30 

4.1.8.  Validate  Assumption . 3 1 

4.1.9.  VNRM  Dictionary . 3 1 

4.1.10.  VNRM  Desktops . 31 

4.1.11.  Options . 31 

4.1.12.  Resynchronize  VNDB . 3 1 

4.1.13.  Re-Apply  Dictionary  Formatting . 31 

4.2.  Miscellaneous  Operations . . . 3 1 

4.2.1.  Adding  New  Document . 3 1 

4.2.2.  Saving  Documents . 32 

4.2.3.  Saving  Window  Settings . 32 

4.2.4.  Restoring  Window  Settings . 32 

4.2.5.  Adding  New  Page . 32 

4.2.6.  Opening  Page . 32 

4.2.7.  Changing  Page  Name . 32 

4.2.8.  Deleting  Page . 32 

4.2.9.  Size  Page  to  Fit  Drawing . 32 

4.2.10.  Page  Zooming . 33 

4.2.1 1.  Aligning  Shapes . 33 

4.2.12.  Distributing  Shapes . 33 


IV 


4.2.13.  Selecting  Multiple  Shapes . 33 

4.2.14.  Removing  Validation . 33 

4.2.15.  Removing  Validation  Stack . 33 

4.2.16.  Editing  Long  Description . 33 

4.2.17.  Undoing  Operations . 33 

5.  VNRM  DESKTOPS . 34 

5.1.  Button  Pull-Down  Menu . 34 

5.1.1.  Add . 34 

5.1.2.  Delete . 34 

5.2.  Page  Pull-Down  Menu . 34 

5.2.1.  Remove  from  Desktop . 35 

5.2.2.  Save  as  Default  Settings . 35 

5.2.3.  Load  Default  Settings . 35 

6.  VNRM  DICTIONARY . 35 

6.1.  Pull-Down  Menu . 35 

6.1.1.  Add . 36 

6.1.2.  Delete . 36 

6.1.3.  Undo . 36 

7.  VNRM  Documentor . 36 

7.1.  Documentor  Menu . 38 

7.1.1.  Import  VNRM  Map . 38 

7.1.2.  Identify  Project  (footprints) . 38 

7.1.3.  Update  All  Tables . 39 

7.1.4.  Update  Fields . 39 

7.1.5.  VNRM  Dictionary . 39 

7.1.6.  Insert  Term  in  Dictionary . 39 

7.1.7.  Update  Dictionary  Table . 39 

REFERENCE  . 39 

APPENDIX-  Complete  Downgrader  Refinement . 41 

INDEX . 45 


y 


VISUAL  NRM  USER’S  MANUAL:  TOOLS  FOR  APPLYING 
THE  NETWORK  RATING  METHODOLOGY 


1.  INTRODUCTION 

Visual  NRM  is  a  toolset  and  language  for  developing  and  evaluating  a  map  of  an  argument  that 
mission-critical  information  is  adequately  protected  by  a  system  in  its  larger  operational  environment. 
Visual  NRM  provides  a  graphical  extension  and  automated  support  for  applying  DoD's  Network  Rating 
Methodology  (NRM)  [1],  This  document  presents  a  manual  for  using  the  Visual  NRM  toolset. 

As  shown  in  Fig.  1,  an  NRM  security  assurance  argument  composes  assurance  evidence  from 
potentially  many  different  sources  and  from  four  security  disciplines:  Physical,  Technological, 
Operational,  and  Personnel.  Visual  NRM  helps  manage  the  complexity  of  this  composition  by  mapping 
out  the  assurance  evidence,  tracing  meaningful  threads  of  reasoning,  and  highlighting  significant  results. 
The  maps  clearly  specify  how  each  piece  of  evidence  contributes  to  the  overall  argument.  The  Visual 
NRM  toolset  supports  traversing  the  hyperlinked  argument  and  analyzing  its  security  weaknesses. 
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Fig.  1-NRM  security  assurance  arguments 


1.1.  Security  Analysis 

Visual  NRM  supports  a  framework  for  analyzing  the  security  of  systems  originally  described  in  Ref. 
2.  Within  this  framework,  claims  are  made  about  the  security  that  a  particular  security  discipline  is 
required  to  provide.  Assumptions  document  requirements  that  one  discipline  places  on  another.  Each 
assumption  from  one  security  discipline  should  map  to  a  claim  (or  set  of  claims)  from  another  discipline 
that,  in  effect,  validates  the  assumption.  A  gap  in  this  mapping  indicates  a  security  vulnerability. 
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Fig.  2  illustrates  this  type  of  security  analysis.  The  figure  depicts  the  analysis  of  a  system  intended  to 
provide  a  secure  way  to  downgrade  files  from  one  network,  approved  to  process  information  at  level 
High,  to  another  network,  approved  to  process  information  at  some  lower  level  Low.  The  overall  strategy 
is  to  require  the  Downgrade  Officer  (DO)  to  review  individually  each  file  requested  for  downgrade 
according  to  a  set  of  Downgrade  Procedures.  As  shown,  the  primary  claim  in  the  Technological  Security 
domain  is  that  a  device,  which  we  call  the  Downgrades  ensures  that  only  the  DO  downgrades  files. 


This  technological  claim  assumes  that  the  DO  is  trustworthy  to  downgrade  files  properly.  As  shown 
in  the  figure,  this  assumption  is  validated  by  two  claims  in  the  Personnel  Security  domain:  that  the  DO 
passes  a  personal  background  investigation  and  that  the  DO  is  trained  in  Downgrade  Procedures.  This 
assumes,  in  turn,  that  the  procedures  used  for  background  investigations  accurately  predict  the 
trustworthiness  of  people  investigated.  In  addition,  the  Downgrade  Procedures,  when  correctly  applied, 
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must  ensure  that  information  is  downgraded  properly.  The  first  assumption  is  noted  as  a  security 
vulnerability.  Indeed,  one  could  make  claims  about  the  effectiveness  of  the  investigative  procedures,  as 
part  of  the  Operational  Security  domain,  but  we  have  decided  to  place  this  assumption  at  the  boundary  of 
our  security  argument.  The  second  assumption,  on  the  other  hand,  is  the  subject  of  the  Operational 
Security  domain. 

Two  operational  claims  and  one  operational  assumption  validate  the  assumption  that  the  Downgrade 
Procedures  ensure  proper  downgrade.  The  claims  require  that  the  Downgrade  Procedures  have  certain 
properties,  i.e.,  that  they  ensure  that  every  file  be  inspected  before  downgrade  and  that  only  those  files 
that  contain  no  High  information  be  downgraded.  An  inherent  difficulty  of  any  downgrade  process  is 
determining  the  appropriate  classification  of  an  object.  The  assumption  that  the  Downgrade  Procedures 
correctly  indicate  whether  a  file  contains  High  information  is  therefore  a  security  vulnerability  that  we 
live  with. 

Another  assumption  of  the  Technological  Security  domain  is  that  only  users  with  role  DO  may 
modify  the  Downgrader  function,  including  its  physical  configuration.  Two  claims  in  the  Physical 
Security  domain  validate  this  assumption  by  requiring  that  the  Downgrader  be  locked  in  a  cabinet,  which 
if  broken  disables  the  downgrade  service.  This  assumes  that  the  mission  can  tolerate  an  interruption  of  the 
downgrade  service,  a  vulnerability  for  the  argument  described,  and  that  only  the  DO  has  keys  to  the 
cabinet.  As  shown,  this  second  assumption  is  validated  by  claims  concerning  Physical  Access  Procedures 
of  the  Operational  Security  domain. 

Partitioning  security  requirements  into  the  four  security  domains  helps  determine  how  to  protect 
information  in  the  most  cost-effective  manner.  Since  we  cannot  practically  avoid  risk  altogether,  the  task 
becomes  one  of  developing  a  partitioning  that  provides  a  good  balance  between  affordability  and  risk 
reduction.  One  could,  for  instance,  introduce  guard  inspections  into  the  Downgrader  example  to  reduce 
the  risk  of  interrupted  service  due  to  physical  attack.  This  would,  of  course,  increase  the  personnel  and 
operational  costs  associated  with  operating  the  Downgrader.  The  program  manager  would  need  to  decide 
whether  the  reduction  in  risk  is  worth  the  corresponding  increased  cost  for  the  operational  environment. 

Characterizing  the  assumptions  associated  with  each  domain  and  explicitly  mapping  assumptions  to 
their  validating  claims,  if  any,  further  helps  to  outline  the  boundary  of  the  security  argument. 
Assumptions  with  no  validation  are  at  the  edge  of  this  boundary  and  map  to  real  security  vulnerabilities. 
These  vulnerabilities  must  be  assessed  when  deciding  whether  the  residual  risk  is  tolerable  in  the 
operational  environment.  The  evaluator  also  needs  to  ensure  the  integrity  of  the  assumption  validation 
mapping  itself.  In  the  Downgrader  example,  the  reader  may  have  noticed  the  lack  of  any  claims  to  ensure 
consistent  application  of  the  Physical  Access  Procedures.  Conscientious  application  of  the  above 
approach  helps  to  uncover  such  gaps,  identifying  security  vulnerabilities  that  were  not  previously 
considered. 

Clearly,  the  above  notation  is  too  cumbersome  to  handle  the  complexity  associated  with  real 
applications.  Extending  the  Downgrader's  argument  to  cover  the  gap  identified  above  would  result  in 
additional  claims  and  assumptions  that  would  make  the  argument  very  difficult  to  understand  and 
manage,  even  for  this  relatively  simple  example.  Visual  NRM  provides  a  notation  and  tool  support  that 
significantly  improves  our  ability  to  map  out  and  evaluate  the  integrity  of  such  arguments. 

1.2.  Visual  NRM  Maps 

Although  the  notation  used  to  construct  Visual  NRM  maps  draws  on  a  number  of  sources  [2-4],  its 
primary  basis  is  the  Goal  Structuring  Notation  originally  developed  at  the  Defence  Research  Agency 
(DRA)  [5]  for  the  elaboration  of  system  safety  arguments  [6],  As  shown  in  Fig.  3,  distinct  graphical 
primitives  (shapes)  of  the  notation  represent  key  components  of  the  argument  map;  a  textual  summary  of 
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each  component  is  shown  inside  each  shape.  The  spine  of  an  argument  map  hierarchically  refines  security 
claims  about  the  system  into  subclaims  and,  eventually,  into  the  evidence  that  a  claim  is  satisfied.  The 
flesh  of  an  argument  map  describes  supporting  information  about  the  refinement  such  as  the  general 
strategy,  assumptions  made,  justifying  reasons,  and  contextual  models. 

Longer,  more  detailed  descriptions  of  the  map  components  can  be  hyperlinked  to  the  shapes,  shown 
in  the  figure  as  dashed  arrows.  For  example,  architectural  diagrams  may  be  hyperlinked  to  model  shapes; 
detailed  assurance  evidence,  e.g.,  mathematical  proofs  and  test  suites,  may  be  hyperlinked  to  evidence 
shapes.  Security  vulnerabilities  can  be  tracked  by  hyperlinking  assumptions  made  in  one  part  of  the 
argument  to  validating  claims  made  in  another  part  of  the  argument.  Such  assumptions  become 
dependencies  of  the  argument.  Assumptions  that  are  not  so  linked  become  vulnerabilities  that  must  be 
considered  when  assessing  residual  risk. 

13.  Visual  NRM  Tool  Architecture 

The  Visual  NRM  toolset  was  built  to  be  easy  to  use,  maintain,  and  extend.  Its  design  supports  ease- 
of-use  by  using  graphical  user  interfaces  that  are  familiar  to  a  large  portion  of  the  potential  user 
community.  The  design  uses  standard,  widely  accepted  software  components  that  support  both  the  need 
for  familiar  interfaces  and  the  need  to  maintain  compatibility  of  Visual  NRM  with  cutting  edge 
technology.  As  well-supported  software  components  evolve,  Visual  NRM  can  evolve  in  like  manner  with 
a  minimal  amount  of  effort.  Finally,  extensibility  is  important  to  the  evolving  Visual  NRM  design  so  that 
when  users  identify  additional,  value-added  functions,  the  toolset  can  be  extended  easily  with  minimal 
changes  to  the  existing  implementation.  The  design  supports  extensibility  primarily  through  the  use  of 
client-server  and  modular  design  techniques. 


Fig.  3-Visual  NRM  assurance  argument  maps 

Fig.  4  depicts  the  Visual  NRM  (VNRM)  tool  architecture.  The  VNRM  Explorer  provides  a  user- 
friendly  front-end  to  the  VNRM  Database  (VNDB)  for  tools  in  the  VNRM  Tool  Library.  The  VNDB, 
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which  is  implemented  in  Microsoft  Access,  stores  the  artifacts  of  an  assurance  argument,  including  the 
Visual  NRM  map  and  its  documentation,  on  a  project-by-project  basis.  Users  manage  and  access  Visual 
NRM  projects  through  the  VNRM  Explorer,  an  interface  that  has  the  familiar  look  and  feel  of  the 
standard  Microsoft  Windows/NT  Explorer.  Tools  in  the  library  can  update  the  VNDB  only  through  the 
VNRM  Explorer  so  as  to  preserve  the  consistency  of  the  VNDB  data  and  the  tools'  views  of  that  data.  The 
VNRM  Explorer  notifies  any  tools  that  have  a  need  to  know  when  data  are  updated. 


Four  tools  that  support  creating  and  documenting  Visual  NRM  argument  maps  currently  reside  in  the 
VNRM  Tool  Library.  VNRM  Designer  uses  the  Visio®  extensible  drawing  package  to  create,  analyze, 
and  hyperlink  Visual  NRM  maps.  These  maps  can  be  integrated  (as  OLE  links)  into  textual  documents 
using  the  VNRM  Documentor,  which  is  implemented  using  Microsoft  Word®.  Both  the  Visio  and  Word 
environments  were  extended  using  Visual  Basic  (VB)  to  support  Visual  NRM-specific  function.  The 
VNRM  Dictionary  permits  defining  a  standard  terminology  for  consistent  application  across  or  within 
Visual  NRM  projects.  Terms  so  defined  are  highlighted  in  the  textual  parts  of  the  map  and  its 
documentation.  Finally,  VNRM  Desktops  provides  a  virtual  desktops  function  to  associate  different 
segments  of  an  assurance  argument  map  for  simultaneous  elaboration  or  examination. 
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Fig.  4-Visual  NRM  tool  architecture 

1.4.  Installing  Visual  NRM 

1.4.1.  System  Requirements 

Installing  and  running  Visual  NRM  requires  the  following: 

•  Windows  98  or  Windows  NT  4.0  (Intel)  operating  system 

•  Pentium-class  personal  computer  (PC) 

•  32  megabytes  of  RAM  or  more 
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•  15  megabytes  of  free  disk  space 

•  Microsoft  Word  97  installed 

•  Visio  Professional  5.0  installed  (Service  Release  C  is  needed  and  can  be  obtained  at 
<http://www.visio.com/support/service/index.htxnl>) 

•  WordToWeb2  is  not  required;  however,  without  it,  the  HTML  generation/viewing  functions 
from  the  VNRM  Documentor  will  not  work 

I. 4.2.  Instructions  for  Installation 

1.  If  installing  Visual  NRM  over  a  previous  version,  copy  the  Vndb.mdb  file  and  the  entire  Projects 
directory  to  a  backup  location. 

2.  To  start  with  a  new  Database  and  Projects  directory,  Delete  the  Projects  directory  and  the  Vndb.mdb 
files  from  the  VNRM  install  directory  prior  to  running  the  setup. 

3.  If  using  a  downloaded  installation  file,  extract  the  contents  of  the  zip  file  downloaded,  preferably  into 
a  temporary  empty  directory.  After  installing  these  files  they  can  be  deleted. 

4.  Execute  the  Setup.exe  file  located  in  the  extracted  directory.  If  installing  from  floppy  disks,  this  file 
resides  on  the  disk  #1. 

5.  The  setup  application  will  run  and  display  several  information  windows  and  ask  for  a  destination  path 
for  the  Visual  NRM  application.  We  suggest  using  C:\VNRM. 

6.  The  setup  must  copy  some  custom  files  to  the  Visio  Professional  5.0  Solutions  directory.  The  setup 
attempts  to  locate  this  via  a  registry  search.  It  will  most  likely  find  the  correct  path.  However,  if  the 
Dialog  asking  for  this  path  has  a  blank  edit  box,  then  use  the  Browse  button  to  locate  the  Visio  install 
directory  on  your  computer  or  network.  This  is  typically  installed  at  C:\Program  FilesYVisio. 

7.  The  setup  must  copy  some  custom  files  to  the  Microsoft  Office/Word  97  Templates  directory.  The 
setup  attempts  to  locate  this  via  a  registry  search.  It  will  most  likely  find  the  correct  path.  However,  if 
the  Dialog  asking  for  this  path  has  a  blank  edit  box,  use  the  Browse  button  to  locate  the  Normal.dot 
file  used  by  your  Microsoft  Office  application  on  your  computer  or  network.  This  is  typically 
installed  at  C:\Program  Files\Microsoft  OfficeXTemplates. 

8.  The  setup  will  display  an  information  window  explaining  the  current  install  settings.  Click  the  Next 
button  to  begin  copying  files;  click  the  Back  button  to  change  the  settings. 

9.  The  setup  program  will  next  copy  all  the  necessary  files  onto  your  system,  set  up  environment 
variables  for  the  application,  setup  a  shortcut  for  the  tool  in  your  Start  Menu  /  Programs  folder  and  set 
up  a  shortcut  on  your  desktop. 

10.  If  the  install  was  successful  in  locating  Microsoft  Word  97,  it  will  load  in  order  to  run  an  installation 
template  macro.  If  macro  security  is  turned  on  in  Word,  a  dialog  box  arises  asking  whether  to  Enable 
Macros,  Disable  Macros,  or  Cancel.  Choose  Enable  Macros.  The  macros  contained  in  this  template 
simply  move  a  macro  called  ReadyHTML  to  the  Normal  template.  (Cautious  users  may  perform  this 
step  manually  by  Disabling  Macros,  exiting  Word,  and,  after  the  setup  is  complete,  following  the 
instructions,  found  in  the  Installation  Troubleshooting  section  of  this  manual.)  By  Enabling  Macros 
(or  if  macro  security  is  disabled),  a  message  box  appears  stating  the  macro  has  been  copied.  Click  OK 
and  the  template  document  will  close.  Exit  Word  to  return  to  the  setup. 

I I.  The  setup  requires  Windows  98  users  to  reboot  for  proper  setting  of  environmental  variables.  It  is  not 
necessary  for  Windows  NT  users  to  reboot  prior  to  running  the  Visual  NRM  application. 
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12.  Once  the  setup  is  complete,  remove  the  extracted  zip  files  from  your  system  to  reclaim  that  space. 
Keep  a  copy  of  the  zip  file  or  floppy  disks,  in  case  re-installation  is  necessary. 

1.4.3.  Starting  Visual  NRM 

To  start  Visual  NRM,  execute  the  VisualNRM  shortcut  created  in  the  Programs  Folder  of  the  Start 
Menu,  double-click  the  VisualNRM  shortcut  created  on  the  desktop,  or  execute  the  file  ctarget 
dir>\Bin\VnrmExplorer.exe.  The  Desktops  and  Dictionary  tools  are  available  from  within  the 
VnrmExplorer  or  Designer  (Visio)  environments.  The  Dictionary  tool  is  also  available  from  within  the 
Documentor  (Word)  environment.  A  special  menu  and  toolbar  within  Visio  and  Word  provides  the  Visual 
NRM  specific  functionality. 

1.4.4.  Installation  Troubleshooting 

•  The  installation  should  properly  register  a  Visual  Basic  user  control  that  our  software  relies  on.  If  you 
experience  errors  relating  to  communication  between  the  VNRM  Explorer  tool  and  the  Designer 
(Visio)  or  Documentor  (Word)  tools,  you  may  need  to  manually  register  this  file.  To  do  this,  ran 
FastOcx.exe  in  the  ctarget  dir>\Bin  folder.  Right-click  the  IpcComm.ocx  file  in  the  ctarget 
dir>\NrmLib  directory  to  register  it.  Choose  Register  from  the  resulting  pop-up  menu. 

•  The  Installation  Routine  should  have  created  the  necessary  Environment  Variables  (VndbPath  and 
WordToWebPath).  If  necessary,  this  can  be  done  manually: 

For  Windows  98,  add  or  modify  the  following  two  lines  in  your  C:\autoexec.bat  file: 

•  set  VndbPath=  ctarget  location  of  the  VNRM  installation,  for  example  "C:\VNRM"> 

•  set  WordToWebPath=  ctarget  location  of  the  WordToWeb2  installation,  for  example 
"c:\Program  Files  \WordToWeb2"> 

For  NT,  set  these  environmental  variables  in  the  usual  way.  (Control  Panel  /  System  / 
Environment  Tab) 

•  The  installation  copies  a  template  file  for  Visual  NRM  Drawings  to  the  Visio  Solutions  directory. 
This  can  be  done  manually  by  copying  ctarget  dii>\VnrmDesigner\VnrmDesignerDrawing.vst  to  the 
Visio  Solutions  directory. 

•  If  step  10  of  the  Instructions  for  Installation  was  not  successful,  either  because  the  Word  application 
could  not  be  located  or  macros  were  disabled,  you  must  manually  execute  it.  Double-click  the 
NRMstrt.dot  in  the  directory  where  you  installed  Visual  NRM,  e.g.,  C:\Vnrm.  If  prompted  whether  to 
Enable  Macros,  Disable  Macros,  or  Cancel,  choose  Enable  Macros.  The  macros  contained  in  this 
template  simply  move  a  macro  called  ReadyHTML  to  the  Normal  template.  Click  OK  to  the  status 
box  and  the  template  document  will  close.  Exit  Word. 

1.4.5.  Uninstalling  Visual  NRM 

To  remove  Visual  NRM  from  the  system,  use  the  Add/Remove  Programs  utility  within  Control  Panel. 
Choose  the  Install/Uninstall  tab  and  select  Visual  NRM  from  the  list  of  applications.  Click  the 
Add/Remove  button.  At  the  Confirm  File  Deletion  prompt,  click  Yes  to  proceed.  UninstallShield  will  be 
loaded.  If  prompted,  do  not  delete  any  shared  files  that  were  copied  to  your  machine  during  the 
installation. 
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1.5.  Structure  and  Terminology  of  This  Manual 

The  rest  of  this  document  provides  both  tutorial  and  reference  documentation  for  Visual  NRM. 
Section  2  is  a  tutorial  that  touches  on  core  functions  for  each  of  the  Visual  NRM  tools  to  give  the  user  a 
hands-on  overview  of  Visual  NRM  capabilities.  The  remaining  sections  provide  reference  information  for 
beginning  or  experienced  Visual  NRM  users.  Henceforth,  we  conform  to  the  following  terminology  and 
notational  standards: 

•  The  term  click  refers  to  a  click  of  the  left  button  of  the  mouse.  When  a  right-click  is  needed,  we 
specifically  say  right-click.  Double-click  means  clicking  the  left  mouse  button  twice  in  rapid 
succession.  We  also  combine  the  Alt  and  Ctrl  keys  with  mouse  clicks  and  other  keystrokes.  For 
example,  Alt-double  click  means  to  double  click  the  left  mouse  button  while  holding  down  the  Alt 
key. 

•  The  term  dragging,  as  in  dragging  an  object,  means  holding  down  on  the  left  mouse  button  on  the 
object  and  moving  it  to  a  different  position.  Release  the  button  only  when  you  have  completed  the 
repositioning. 

•  We  use  the  Helvetica  font  to  denote  text  that  is  to  be  entered  or  viewed  by  the  user  at  a  Visual 
NRM  tool  interface. 

•  For  menu  selection,  the  phrase  select  menu  item  AIBIC,  for  example,  means  to  select  menu  A,  then 
select  submenu  B  of  A,  and,  finally,  to  select  menu  item  C  from  submenu  B. 

2.  TUTORIAL 

In  this  tutorial  you  will  construct  a  small  portion  of  a  security  assurance  argument  map  for  a  simple 
information  downgrader.  6  contains  the  argument  map  used  in  this  tutorial. 

2.1.  Start  Visual  NRM 

Start  Visual  NRM  by  double-clicking  the  VnrmExplorer.exe  program  in  the  VNRM  home  directory 
Bin  folder.  There  should  also  be  a  menu  item  Programsl Visual  NRM  under  your  start  menu.  We  suggest 
putting  a  shortcut  icon  on  your  desktop  for  easy  access.  Regardless  of  the  method  of  invocation,  VNRM 
Explorer  is  the  first  interface  you  see  and  is  the  center  of  Visual  NRM  processing  activity. 

□  Start  Visual  NRM. 

2.2.  Establish  a  Visual  NRM  Project 

You  should  now  have  the  VNRM  Explorer  interface  in  front  of  you,  which  will  look  similar  to  that 
shown  in  Fig.  5.  The  interface  is  split  into  two  primary  parts.  The  left-side  window  contains  the  primary 
objects  that  constitute  a  Visual  NRM  argument  map,  organized  as  a  TreeView  hierarchy.  The  right-side 
window  contains  descriptions  of  certain  elements  when  they  are  selected  in  the  left-hand  window.  The 
model  of  organization  is  the  conventional  Windows/NT  Explorer,  with  which  most  PC  users  should  be 
familiar.  Most  operations  on  VNRM  objects  are  available  from  either  the  menu  items  at  the  top,  or  the 
toolbar  right  below  it.  Click  on  the  Viewl Large  Icons  menu  item  to  see  the  toolbar  icons  in  more  detail. 
Dragging  any  comer  of  the  VNRM  Explorer  interface  expands  the  size  of  the  window.  Dragging  the  bar 
between  the  left  and  right  windows  in  the  interface  re-apportions  the  space  allotted  the  two  windows. 
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Fig.  5-VNRM  Explorer  interface 


To  create  a  new  project: 

□  Click  on  the  Projects  keyword  on  the  left-hand  side.  This  should  highlight,  in  a  different 
color,  the  word  Projects,  as  shown  in  Fig.  5. 

□  Click  FilelNew  to  bring  up  the  Project  Identification  dialog.  Click  the  different  tabs  to  see  the 
types  of  information  that  can  be  associated  with  a  project.  This  information  will  be  filled  in 
later  since  it  is  only  used  in  the  VNRM  Documentor.  You  could  have  also  invoked  the  New 
command  by  pressing  Ctrl-N  from  the  VNRM  Explorer  interface.  This  is  indicated  to  the 
right  of  the  FilelNew  menu  item.  Such  indications  inform  the  user  when  Control,  e.g.,  Ctrl-N, 
or  Function  Keys,  e.g.,  FI ,  can  be  used  instead  of  clicking  on  menu  items. 

□  Go  to  the  Product  tab  and  change  the  name  of  the  project  to  Tutorial  by  replacing  the 
default,  -  New  Project,  with  Tutorial. 

□  Click  the  X  button. 

Visual  NRM  projects,  including  the  project  that  you  just  created,  are  shown  at  the  top-level  of  the 
TreeView  hierarchy. 

□  Click  on  the  Tutorial  project.  The  label  above  the  right-side  window  reads  description. 

□  Click  in  the  window  below  the  label  and  enter  a  description  of  the  project,  perhaps  the 
description  A  simple  information  downgrader. 

Certain  nodes  of  the  TreeView  can  be  associated  with  descriptions,  such  as  this,  simply  as  comments 
to  the  user  regarding  the  intended  purpose  of  the  object.  The  system  does  not  rely  on  these  descriptions 
for  correct  operation  and,  thus,  they  can  be  omitted  if  desired. 

To  expand  the  Tutorial  project: 

□  Click  on  the  plus  sign  to  the  left  of  the  Tutorial  folder  TreeView  icon.  Three  branches  of  the 
Tutorial  project  will  appear,  one  for  each  of  the  tools  -  VNRM  Designer,  VNRM 
Dictionary,  and  VNRM  Documentor. 
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□  Click  on  the  Designer  branch.  We  are  going  to  create  a  new  Designer  document.  We  could 
do  this  by  clicking  the  FilelNew  menu  item  as  before.  Instead,  however,  use  the  toolbar. 
Hold  the  cursor  over  the  first  toolbar  icon,  the  one  shaped  like  a  piece  of  paper.  You'll  notice 
a  little  box  pop-up  with  the  word  New  in  it.  This  tells  the  user  the  function  that  is  invoked  as 
a  result  of  clicking  that  toolbar  item.  The  names  correspond  to  the  names  used  in  the  menu 
bar. 

□  Click  the  New  toolbar  icon.  A  Document  Identification  dialog  box  will  appear.  Again,  this 
information  is  only  used  in  the  VNRM  Documentor. 

□  Change  the  document  title  to  Information  Downgrader. 

□  Click  the  X  button. 

The  VNRM  Designer  will  appear  with  a  blank  document  available  for  editing.  Notice  that  the  VNRM 
Explorer  continues  executing,  and  must  remain  executing,  while  VNRM  Designer  executes.  Close 
VNRM  Explorer  only  when  all  other  Visual  NRM  tools  have  been  properly  exited. 

23.  Define  the  Downgrader  Problem 

You  should  have  VNRM  Designer  (Visio)  open  with  a  blank  drawing  page,  which  will  look  similar  to 
that  shown  in  Fig.  6.  The  page  will  have  Information  Downgrader:  Page-1  in  the  window  title  bar.  We 
will  construct  on  this  page  the  first-level  refinement  of  the  downgrade  problem. 

2.3.1.  Name  the  Page 

To  change  the  name  of  the  page  from  its  default  Page-1 : 

□  Click  Filel Page  Setup. 

□  Click  the  Page  Properties  tab  of  the  dialog  box 

□  Change  the  name  to  The  Problem. 

□  Click  OK. 

□  Click  the  DesignerlSaveAll  menu  item. 

As  you  are  using  VNRM  Designer,  remember  to  save  your  work  often  by  using  the  SaveAll  menu 
item  (in  the  Designer  menu)  or  toolbar  icon. 

2.3.2.  Add  Shapes  to  the  Page 

The  first-level  refinement  is  shown  in  Appendix  A,  Fig.  Al.  To  draw  this  refinement,  use  the  shapes 
on  the  stencil  in  the  upper  left-hand  comer  of  the  VNRM  Designer  interface. 

To  create  the  Objective  shape: 

□  Drag  the  Objective  shape  to  the  blank  drawing  page.  Notice  that  the  shape  has  small  green 
squares  around  it,  indicating  that  it  is  selected.  If  you  click  the  middle  of  the  shape,  the 
squares  turn  gray.  If  you  click  it  again,  they  turn  back  to  green.  Since  selecting  a  shape  will 
be  important  for  future  operations,  this  distinction  is  important.  Green  boxes  means  the  shape 
is  selected;  gray  boxes,  or  no  boxes,  means  the  shape  is  not  selected. 

□  Reposition  the  shape,  if  necessary,  by  dragging  it  to  the  new  position. 

□  Double-click  the  shape.  A  larger  version  of  the  shape  will  appear. 

□  Select  the  larger  shape. 

□  Enter  the  text  shown  in  the  objective  shape  of  Fig.  Al.  The  text  will  automatically  format 
itself;  do  not  enter  any  carriage  returns  or  other  formatting  manually. 
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□  Click  the  X  at  the  top  right-hand  comer. 
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Fig.  6-VNRM  Designer  interface 

Dictionary  terms  are  highlighted  as  the  word  downgrade  is  in  the  objective  shape  of  Fig.  Al.  To 
define  a  term  in  the  project's  dictionary: 

□  Start  up  the  VNRM  Dictionary  by  clicking  the  DesignerlDictionary  menu  item.  The  tool 
that  appears  looks  similar  to  that  shown  in  Fig.  7,  with  a  list-box  on  top  of  a  text-box.  The 
Dictionary  can  also  be  invoked  by  clicking  the  little  blue  book  icon  on  the  toolbar.  You'll 
notice  the  Dictionary  label  if  you  hover  over  the  icon,  as  in  the  VNRM  Explorer.  Many  of 
the  Designer  menu  items  are  available  on  the  toolbar 

□  Click  the  diamond  shape  to  the  left  of  the  upper  list-box. 

□  Click  Add. 

□  Type  downgrade  into  the  list-box. 

□  Hit  return.  This  action  eventually  highlights  the  word  downgrade  in  the  objective  shape. 
There  may  be  a  brief  lag  time  since  the  Add  checks  the  database  to  ensure  that  the  term  is 
not  already  defined. 
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□  Enter  the  definition  of  downgrade  in  the  text-box,  e.g.,  moving  information  from  one 
classification  level  to  a  lower  classification  level. 

a  Click  the  downgrade  term  in  the  list-box  to  accept  the  definition. 

Returning  to  VNRM  Designer: 

□  Add  the  other  shapes  that  appear  in  Fig.  A1  to  the  drawing  page  (i.e.,  a  Model,  a  Strategy,  a 
Reasoning,  an  AND  gate,  and  four  Claim  shapes),  just  as  you  did  for  the  Objective  shape. 
Do  not  worry  that  the  claim  shapes  are  not  shaded.  Shading  indicates  that  they  are  links  to  a 
refinement  on  a  different  page,  which  we  will  set  up  later. 

□  Add  the  text  and  dictionary  terms  indicated,  defining  terms  as  you  see  fit.  Appendix  A 
contains  our  definitions. 
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Fig.  7-VNRM  Dictionary  interface 


233 .  Connect  and  Label  Shapes 

When  the  text  for  all  the  shapes  in  Fig.  A1  have  been  entered,  the  shapes  can  be  connected.  The 
Connector  Tool  is  invoked  by  clicking  the  Connector  Tool  icon  on  the  (Standard)  toolbar,  i.e.,  the  toolbar 
icon  that  shows  a  line  connecting  two  squares,  between  the  toolbar  icons  displaying  a  big  letter  A  and  a 
pencil. 

To  connect  and  label  the  shapes: 

□  Click  Connector  Tool  toolbar  icon;  notice  that  the  cursor  on  the  drawing  page  has  a  little 
crooked  arrow  beside  it,  an  indication  that  the  Connector  Tool  is  operational.  The  small  blue 
x's  on  each  shape  are  the  start  and  end  points  for  a  connector.  Each  connector  is 
unidirectional. 

□  Put  the  cursor  beside  a  blue  x  on  the  source  shape;  a  black  box  should  appear  around  the  blue 
x. 

□  Drag  an  arrow  to  a  blue  x  on  the  destination  shape. 

□  If  necessary,  to  change  the  blue  x  to  which  a  connector  is  attached,  hold  the  cursor  directly 
over  the  connection  point  until  a  four-pronged  arrow  appears,  and  click  drag  the  connection 
to  the  new  connection. 

□  Finish  connecting  the  shapes  as  shown  in  Fig.  Al.  Don't  worry  about  the  Claim  shapes  to 
which  the  Shape  Links  are  linked;  we  deal  with  these  in  a  later  section. 

□  To  get  out  of  the  Connection  mode,  click  the  Pointer  Tool  icon.  The  Pointing  mode  is  the 
typical  mode  you  want  to  be  in  when  not  connecting  shapes,  thus  the  reason  for  laying  out  all 
the  shapes  on  a  page  before  connecting  them  together. 
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□  Label  the  shapes  using  the  DesignerILabel  Shapes  menu  item  or  Label  Shapes  toolbar  icon. 
This  operation  labels  the  shapes  in  the  documents  of  the  currently  active  project  in  a  breadth- 
or  depth-first  manner,  depending  on  the  option  set  in  the  DesignerlOptions  dialog  (the 
default  is  breadth-first  labeling).  Label  Shapes  also  labels  any  connectors  whose  labels  could 
not  be  resolved  when  first  drawn. 

2.3.4.  Format  Shapes  on  Page  and  Pages  in  Window 

You  can  now  position  the  shapes  and  connections  on  the  page  to  your  liking.  Visio  has  an  alignment 
tool  that  is  particularly  helpful  for  lining  shapes  up  on  the  page. 

To  align  all  of  the  shape  links  in  a  straight  row: 

□  Select  all  of  the  shape  links.  Multiple  shapes  can  be  selected  by  de-selecting  all  shapes  on  the 
page  and  then  shift-clicking  each  shape  to  be  included. 

□  Click  Toolsl Align  Shapes. 

□  Choose  the  type  of  alignment  desired;  the  first  Up-Down  alignment  works  nicely  for  this 
particular  example. 

□  Click  T ools  I  Distribute  Shapes. 

□  Choose  the  first  Left/Right  distribution;  this  distributes  the  shapes  evenly  across  the  page. 

□  Click  OK. 

The  look  of  the  diagram  can  also  be  improved  by  adjusting  the  height  of  the  horizontal  bend  for  the 
connectors  between  the  AND/OR  gates  and  the  shapes  to  which  they  point.  To  do  this: 

□  Click  on  the  connector  between  the  AND  gate  and  the  second  claim  (Clm2). 

□  Put  the  cursor  over  the  green  x. 

□  Drag  the  bend  to  a  new,  more  appropriate  height. 

□  Through  alignment  and  connector  bend  repositioning,  make  your  refinement  as  nice  looking 
as  in  Fig.  Al. 

To  get  rid  of  the  excess  drawing  space  on  the  page,  making  it  more  convenient  for  editing: 

□  Click  Filel  Page  Setup. 

□  Under  the  Page  Size  tab  click  the  Size  Page  to  Fit  Drawing  button. 

□  Click  OK. 

To  view  the  whole  page: 

□  Click  the  ViewlWhole  Page  menu  item. 

□  Re-size  the  window  as  desired  by  dragging  any  comer  of  the  active  window. 

□  To  save  these  settings  as  default,  right-click  on  a  blank  portion  of  the  page  and  click  Save 
Window  Settings. 

Henceforth,  whenever  you  open  this  page,  the  position  and  size  of  the  page's  window  will  be  the  same 
as  when  you  performed  the  last  Save  Window  Settings. 

2.3.5.  Build  a  Contextual  Model 

We  are  now  going  to  create  an  architectural  diagram  to  which  the  model  shape  Fig.  Al  will  be 
hyperlinked.  This  is  the  purpose  of  the  small  square  shape,  henceforth  called  the  Hyperlink  shape,  on  the 
right  comer  of  the  Model  shape. 

To  add  the  Hyperlink  shape: 
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□  Select  the  model  shape. 

□  Invoke  the  Add  Hyperlink  menu  item  (in  the  Designer  menu)  or  toolbar  icon.  This  places  an 
unshaded  Hyperlink  shape  on  the  Model  shape,  indicating  that  it  has  not  yet  been 
instantiated. 

□  To  instantiate  the  Hyperlink,  double-click  the  Hyperlink  shape.  This  raises  a  dialog  box  with 
three  sections:  the  first  identifies  the  file  path  or  URL  for  the  link;  the  second  identifies  a 
named  location  within  the  file  or  URL  to  jump  to;  and  the  third  is  an  optional  description  that 
will  appear  when  the  cursor  hovers  over  the  hyperlink  shape.  The  first  section  is  predefined 
to  be  the  pathname  of  the  currently  active  document;  leave  that  section  alone. 

□  Enter  the  string  Downgrader  Diagram  in  the  second  and  third  sections.  You  will  create  this 
diagram  subsequently. 

□  Click  OK.  This  shades  the  hyperlink  indicating  that  it  is  instantiated. 

□  If  you  entered  the  hyperlink  information  incorrectly,  right-click  the  Hyperlink  shape  and 
click  the  Hyperf inkf  Edit  Hyperlink  menu  item. 

To  create  the  page  that  you  have  just  linked: 

□  Click  the  Insertl Page  menu  item. 

□  Click  the  Page  Properties  tab  in  the  resulting  dialog  box. 

□  Enter  Downgrader  Diagram  in  the  Name  text  box. 

□  Click  the  Open  Page  in  New  Window  checkbox. 

□  Re-size  the  window  by  dragging  any  comer  to  the  desired  size. 

□  Reposition  the  window,  if  necessary,  so  that  both  of  the  pages,  The  Problem  and 
Downgrader  Diagram,  are  visible. 

To  create  the  diagram  that  illustrates  the  Downgrader’s  external  environment  using  two  other  stencils 
available  in  the  Visio  Professional  package  (Appendix  A,  Fig.  A2): 

□  Select  the  window  that  you  just  created. 

□  Click  FilelStencilsINetwork  DiagramIBasic  Network  Shapes  3D.  All  of  the  shapes  you 
see  in  Fig.  A2  (Workstation,  Server,  Printer,  Computer,  Laptop,  Room,  Bus  Network, 
and  Ring  Network)  are  available  from  this  stencil  except  the  Man  Holding  Folder,  which 
is  available  from  FilelStencilsI Visio  ExtrasIClipart.  A  Workstation  shape  was  used  to 
represent  the  Downgrader.  If  the  3-dimensional  version  of  the  stencil  is  not  available,  use 
equivalent  shapes  from  the  two-dimensional  stencil  called  simply  Basic  Network  Shapes. 

□  Drag  and  drop  the  shapes  onto  the  page. 

□  Connect  the  shapes  as  shown  in  the  diagram  using  the  Connector  Tool,  as  before. 

□  Label  the  shapes  as  shown  in  the  diagram.  Names  of  shapes  can  be  edited  by  simply  double¬ 
clicking  the  shape.  There  is  a  handle  for  moving  the  labels  to  the  desired  position.  The 
formatting  of  lines  and  text  can  be  adjusted  using  the  functions  available  under  the  Format 
menu  item. 

2.4.  Refine  the  Argument  Map 

Now  we  will  expand  the  refinement  begun  on  the  page  called  The  Problem  in  the  document  called 
Information  Downgrader.  We  will  add  a  separate  document  for  refining  each  of  the  subclaims  on  this 
page. 
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2.4.1.  Add  a  New  Document 

To  add  a  new  document: 

□  Click  the  FilelNewIVnrmDesignerDrawing  menu  item  to  create  a  new  document.  This 
action  raises  a  dialog  box  requesting  the  project  to  which  the  new  document  is  to  be  added. 

□  Double-click  the  T utorial  project. 

□  Change  the  name  of  the  page  to  DO  Downgrade  by  clicking  FilelPage  Setup  and  selecting 
the  Page  Properties  tab  as  before. 

In  the  current  version  of  Visual  NRM,  the  document  name  has  to  be  changed  from  the  VNRM 
Explorer  interface.  To  do  this: 

□  Open  the  Designer  branch  of  the  T utorial  Project  from  VNRM  Explorer. 

□  Double-click  the  name  of  the  document  just  created. 

□  Type  the  new  name  Technology  Security  and  hit  the  enter  key. 

□  Go  back  to  VNRM  Designer  to  the  page  just  created.  The  name  of  the  window  of  this  page 
will  eventually  be  updated  to  Technology  Security;  DO  Downgrade  to  reflect  the 
renaming. 

2.4.2.  Expand  Refinement  to  New  Document 

To  expand  the  refinement  to  the  new  page: 

□  Select  the  window  containing  the  The  Problem  page  in  VNRM  Designer. 

□  Right-click  the  first  Claim  shape  that  you  created  earlier,  which  should  now  be  labeled  Clml, 
and  click  Convert  to  Claim  Link.  This  shades  the  interior  of  the  shape,  which  is  now  referred 
to  as  a  Claim  Link. 

□  Double-click  this  new  shape.  A  Claim  shape  will  appear  to  which  the  Shape  Link  is  linked. 
Notice  that  the  same  text  appears  in  both  shapes.  In  fact,  the  user  can  not  edit  the  Claim  Link 
text  directly;  VNRM  Designer  maintains  their  consistency  automatically. 

□  Select  the  newly  created  Claim  shape.  * 

□  Click  the  EditICut  menu  item. 

□  Select  the  window  containing  the  DO  Downgrade  page. 

□  Click  Filel  Paste  to  paste  the  Claim  shape  that  you  just  cut.  This  creates  a  link  between 
designer  documents  that  can  be  traversed  by  alt-double  clicking  the  Claim  shape  and  its 
corresponding  Claim  Link. 

□  We  now  want  to  create  the  structure  shown  in  Fig.  A3,  on  the  DO  Downgrade  page.  Do  this 
in  a  manner  similar  to  the  construction  of  the  structure  on  the  The  Problem  page  in  section 
2.3.  The  Dependency  shape  is  added  as  an  Assumption  shape  and  only  becomes  a 
Dependency  when  it  is  validated  by  Clm2.  For  now,  do  not  worry  about  the  red  Validation 
shapes. 

□  Click  Designer! Label  Shapes.  This  operation  will  label  the  shapes  for  all  documents  in  the 
current  project. 

□  Click  DesignerlSave  All. 

□  Follow  the  instructions  in  Sections  2.4.1  and  2.4.2  for  each  of  the  other  sub-Claims  on  the 
The  Problem  page.  The  names  of  the  documents  and  pages  to  create  for  each  refinement  are 
shown  in  Table  L 
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Table  1  “-Refinement  Elaboration  Information 


Root  Shape  Label 

Document  Name 

Page  Name 

Fig.  Number 

Clml 

Technology  Security 

DO  Downgrader 

Fig.  A3 

Clm2 

Physical  Security 

Physical  Access 

Fig.  A4 

Clm3 

Personnel  Security 

DO  Trustworthy 

Fig.  A5 

Clm4 

Operational  Security 

Downgrade  Procedures 

Fig.  A6 

2.4.3.  Create  Validation  Links 

It  is  important  to  assess  each  assumption  in  the  argument  map  to  determine  whether  claims  or 
evidence  elsewhere  in  the  argument  can  validate  it,  since  assumptions  that  are  not  validated  represent  a 
potential  security  vulnerability.  Let's  look  first  at  Assumption  Asml  on  the  DO  Downgrade  page.  Claim 
Clm2  on  the  Physical  Access  page,  which  states  that  only  the  DO  may  modify  Downgrader  function, 
assures  that  the  Downgrader  is  not  tampered  with  by  unauthorized  individuals. 

To  indicate  this  validation,  let's  create  a  validation  link  between  Clm2  and  Asml: 

□  Deselect  all  shapes  by  clicking  the  Deselect  All  menu  item  (from  the  Designer  menu)  or 
toolbar  icon. 

□  Select  only  Asml  and  Clm2. 

□  Click  the  Validate  Assumption  menu  item  or  toolbar  icon.  If  these  were  the  only  two  shapes 
selected,  the  validation  link  should  correctly  show  that  Clm2  validates  Asml. 

□  If  necessary,  remove  shapes  included  in  the  Validation  stack  that  are  not  needed  by  right- 
clicking  the  Validation  shape  and  clicking  Remove  Validation. 

□  If  necessary,  remove  the  whole  validation  stack  by  right-clicking  the  validating/validated 
shape  and  clicking  Remove  Validation  Stack. 

□  Re-label  the  shapes  by  clicking  Designer! Label  Shapes.  This  converts  the  Assumption 
shape  into  a  Dependency  shape,  indicating  the  assumption  has  been  validated. 

2.4.4.  Construct  a  Virtual  Desktop 

At  times,  it  is  convenient  to  have  collections  of  pages  that  are  developed,  analyzed,  and/or  presented 
as  a  group.  We  call  such  groupings  virtual  desktops.  The  VNRM  Desktops  interface  consists  of  three 
parts:  a  desktop  viewer  in  the  main  body  with  a  list  box  underneath.  To  the  left  of  the  list  box  is  a  pull¬ 
down  menu  with  Add  and  Delete  commands.  We  now  create  a  simple  desktop  using  the  VNRM 
Desktops  tool: 

□  From  VNRM  Designer  invoke  VNRM  Desktops  by  clicking  the  Designer! Desktops  menu 
item  or  the  Desktops  toolbar  icon.  An  interface  similar  to  that  shown  in  Fig.  8  should 
appear. 

□  Close  all  but  the  The  Problem  and  Downgrader  Diagram  pages  of  the  Information 
Downgrader  document.  If  this  document  is  not  currently  loaded,  load  it  by  right-clicking  the 
document  in  VNRM  Explorer  and  clicking  Designer.  Once  you  have  The  Problem  page 
showing,  double-click  the  hyperlink  shape  in  the  Downgrader  Diagram  Model  shape  to  open 
the  Downgrader  Diagram  page. 

□  Position  and  size  these  pages  as  you  like. 

□  Click  the  pull-down  menu  on  the  VNRM  Desktops  tool. 
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□  Click  Add. 

□  Type  in  the  list  box  the  name  of  the  desktop,  e.g.,  DowngradeProblem. 

□  Hit  the  carriage  return.  A  miniature  version  of  the  desktop  is  shown  in  the  desktop  viewer. 


Fig.  8-VNRM  Desktops  interface 


VNRM  Desktops  allows  desktops  that  include  pages  from  different  documents.  To  construct  a  multi¬ 
document  desktop: 

□  Close  the  Downgrader  Diagram  page. 

□  Open  the  pages  associated  with  each  of  the  first  three  claims  on  The  Problem  page  by  alt- 
double  clicking  the  link  shapes  for  each. 

□  Arrange  the  pages  as  desired. 

□  Invoke  the  Add  operation  in  VNRM  Desktops  as  before. 

□  Type  a  name  for  the  new  desktop,  e.g.,  DORestrictedDowngrade. 

□  Hit  the  carriage  return.  This  desktop  reflects  the  part  of  the  argument  describing  how  the 
downgrade  function  is  limited  to  only  DO  application.  But  note  that  the  DO  Trustworthy 
page  does  not  really  belong  to  this  grouping. 

□  To  delete  DO  Trustworthy  from  the  desktop,  click  the  miniature  version  of  the  page  in  the 
desktop  viewer. 

□  Click  the  miniature  version  again. 

□  Select  the  Remove  from  Desktop  menu  item. 


2.4.5.  Exit  VNRM  Designer 

At  this  point,  you  have  invoked  several  tools,  possibly  including  VNRM  Designer,  VNRM 
Dictionary,  VNRM  Desktops,  and,  of  course,  VNRM  Explorer.  All  of  these  tools  are  executing 
independently,  so  they  need  to  be  shut  down  separately.  However,  when  exiting  Visual  NRM  altogether, 
always  exit  VNRM  Explorer  last,  since  it  is  the  means  through  which  Visual  NRM  updates  the  VNDB. 
For  now,  just  exit  the  other  three  tools: 

□  Exit  VNRM  Dictionary  by  clicking  the  X  in  the  upper  right-hand  comer  of  the  window. 

□  Exit  VNRM  Desktops  by  clicking  the  X  in  the  upper  right-hand  comer  of  the  window. 
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□  Exit  VNRM  Designer  either  by  clicking  the  X  or  the  FilelExit  menu  item.  This  may  ask  you 
whether  you  want  to  save  each  document.  You  should  generally  save  any  documents  to  which 
you  have  made  any  changes,  since  the  database  is  updated  incrementally  as  you  make 
modifications.  If  you  really  do  not  want  your  changes  saved,  you  may,  but  you  will  have  to 
re-synchronize  the  database  the  next  time  you  open  the  project  (section  4.1.12).  You  do  not 
need  to  save  the  Vnrm.vsd  when  it  asks,  although  it  does  not  hurt  to  do  so.  Finally,  Visual 
NRM  was  developed  on  the  Windows  98  platform.  Unfortunately,  for  users  of  Windows  NT, 
there  is  an  error  in  Windows  NT  that  causes  Visio  to  break  on  exit.  This  does  not  cause  a 
problem  as  long  as  you  have  saved  your  Designer  documents  previously. 

2.5.  Document  the  Argument  Map 

So  far,  you  have  constructed  the  graphical  components  of  the  Downgrader  Argument  Map.  You  are 
now  going  to  create  the  Microsoft  Word  document  that  will  serve  as  the  framework  for  describing  the 
argument  map  in  a  form  suitable  to  the  evaluators  of  the  argument. 

2.5.1.  Add  the  Documentor  Document 

The  Documentor  permits  the  graphical  components  to  be  imported  and  placed  in  the  manner  desired 
by  the  developer  to  meet  the  needs  of  the  evaluation.  To  use  the  hierarchical  structure  of  the  map,  the 
Documentor  requires  that  the  developer  identify  the  root  page  of  each  Designer  document,  i.e.,  the  page 
that  forms  the  top  of  the  hierarchy  for  the  document  of  which  it  is  a  part.  To  do  this: 

□  Select  the  VNRM  Explorer  interface. 

□  Open  the  T utorial  project,  if  not  already  open,  to  display  the  three  branches  of  the  project. 

□  Open  the  Designer  branch,  if  not  already  open,  to  display  the  five  documents  that  we 
constructed. 

□  Open  the  Information  Downgrader  document  by  clicking  on  the  plus  sign  to  the  left  of  that 
branch.  You’ll  see  two  branches,  one  for  the  Downgrader  Diagram  Visio  drawing  and  one 
for  the  The  Problem  page.  The  Problem  page  is  the  root  of  the  Information  Downgrader 
document. 

□  Right-click  The  Problem  page 

□  Click  the  Set  Root  Page  menu  item.  You’ll  notice  that  The  Problem  is  bolded,  indicating 
its  status  as  root  page. 

□  In  a  similar  manner,  for  each  of  the  other  four  documents,  open  the  document  and  set  the 
(only  existing)  page  as  root. 

□  Close  the  Designer  branch  by  clicking  the  minus  sign  to  the  left  of  the  branch. 

Now  you  can  add  a  new  Documentor  document,  much  like  we  did  to  create  the  Designer  document 
previously: 

□  Click  the  Documentor  branch 

□  Click  the  New  toolbar  icon.  A  Document  Identification  dialog  box  will  appear,  as  before. 

To  fill  out  the  fields  of  the  dialog: 

□  Entitle  the  document  Information  Downgrader  Assurance  Argument  Map. 

□  You  are  the  author,  so  use  your  identification  in  the  author-related  fields. 

□  Use  your  own  organization’s  format  for  referencing  documents  in  the  Reference  Number 
field,  e.g.,  at  NRL  we  often  use  references  of  the  form  NRL  Technical  Memorandum 
5540-xxx:apm. 
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□  Fill  in  any  other  fields  that  you  desire.  Any  information  that  you  do  not  fill  out  will  not  be 
completed  when  the  Documentor  document  template  is  instantiated.  This  is  not  a  problem, 
since  those  fields  can  either  be  completed  manually  or  deleted  altogether.  However,  fields 
that  are  completed  manually  are  not  entered  in  the  VNDB. 

□  Click  the  X  in  the  upper  right  comer.  VNRM  Documentor  will  appear,  similar  to  that  shown 
in  Fig.  9,  with  the  uninstantiated  Documentor  template  open  for  editing.  Fields  of  the 
template  document  appear  in  the  document  as  a  description  of  the  field  delimited  by  square 
brackets.  Again,  notice  that  VNRM  Explorer  continues  executing,  and  must  remain 
executing,  while  VNRM  Documentor  executes. 

To  instantiate  the  Documentor  template: 

□  Click  the  Identify  Project  menu  item  (of  the  Documentor  menu)  or  toolbar  icon.  Notice  that 
not  all  fields  are  instantiated,  because  we  skipped  filling  out  certain  project  properties  when 
we  originally  created  the  project. 

□  Go  back  to  VNRM  Explorer. 

□  Select  the  T utorial  project. 

□  Click  the  FilelPropertieslldentify  Project  menu  item  or  the  Identify  Project  toolbar  icon. 

□  Fill  in  the  properties 

□  Return  to  VNRM  Documentor. 

□  Invoke  Documentorlldentify  Project  to  instantiate  fields  in  the  rest  of  the  template. 

□  If  certain  fields  are  not  applicable  to  your  project,  simply  delete  them.  This  may  require 
deleting  rows  from  the  Point  of  Contact  table,  e.g.,  by  selecting  the  row  and  clicking 
Tablel Delete  Row. 

2.5.2.  Import  the  Argument  Map 

To  import  the  argument  map  that  you  created  in  VNRM  Designer: 

□  Click  the  Import  VNRM  Map  menu  item  (under  the  Documentor  menu)  or  toolbar  icon. 
This  invokes  a  dialog  box  similar  to  that  shown  in  Fig.  10). 

□  Make  sure  the  Insert  Documents  as  Chapters  and  the  Manual  DB  Field  Update  options 
are  selected  (as  shown). 

□  Select  the  documents  for  inclusion  in  the  following  order:  Information  Downgrade^ 
Technology  Security,  Physical  Security,  Personnel  Security,  and  Operational 
Security.  Do  this  by  clicking  on  each  document  and  clicking  the  Select  button,  in  sequence. 
If  you  make  a  mistake,  you  can  remove  the  document  from  the  list  of  Selected  Documents 
by  clicking  the  Remove  button. 

□  Click  the  Submit  button.  The  importation  process,  which  takes  a  few  minutes  to  complete,  is 
finished  when  the  dialog  box  disappears. 
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Fig.  9-VNRM  Documentor  interface 


The  Documentor  is  using  the  hierarchical  structure  of  the  Designer  diagrams  as  the  section  structure 
for  the  Word  document.  Each  page  of  the  Designer  document  is  placed  in  its  own  section,  with  the 
hyperlink  information  translated  to  figure  and  page  number  cross-references.  The  Designer  diagrams  and 
hyperlink  tables  are  imported  as  OLE  links  so  that  they  can  be  updated  as  the  Designer  documents  change 
in  VNRM  Designer.  Choosing  the  Manual  DB  Field  Update  option  forces  the  user  to  update  diagrams 
manually  by  clicking  Documentor! Update  Fields  Now  menu  item.  Although  automatic  update  may 
seem  better,  the  overhead  costs  associated  with  Word  regularly  checking  the  need  for  an  update  is 
prohibitive  for  larger  projects.  The  tables  must  always  be  updated  manually  using  the 
DocumentorlUpdate  Tables  menu  item. 


Visual  NRM  User's  Manual 


21 


Fig.  1 0-Dialog  box  for  importing  an  argument  map 


2.5.3.  Insert  the  Dictionary 

To  import  and  extend  the  project  dictionary  that  you  created  in  VNRM  Designer: 

□  Click  the  Update  Dictionary  Table  menu  item  (under  the  Documentor  menu)  or  toolbar 
icon.  This  inserts  a  table  of  the  dictionary  entries  as  a  separate  chapter  at  the  end  of  the 
document. 

□  Open  up  the  VNRM  Dictionary  tool  by  clicking  the  Documentor!  Dictionary  menu  item. 

□  Click  the  diamond  shape  to  the  left  of  the  upper  list-box. 

□  Click  Add. 

□  Type  trustworthy  into  the  list-box. 

□  Hit  the  return. 

□  Enter  the  definition  of  trustworthy  in  the  text-box,  e.g.,  dependable  execution  of 
responsibility. 

□  Click  the  trustworthy  term  in  the  list-box  to  accept  the  definition. 

□  Click  X  in  the  upper  right  comer. 

□  To  reflect  the  changes  to  the  dictionary  in  the  Word  document,  invoke  the  Update 
Dictionary  Table  function  in  VNRM  Documentor  again.  Note  that  you  should  not  change 
the  definitions  in  the  Word  table  directly,  since  these  changes  do  not  update  the  database  and 
will  be  lost  the  next  time  Update  Dictionary  Table  is  invoked.  Changes  to  shapes  that 
contain  the  new  term  will  not  be  updated  until  the  project  documents  are  opened  using 
VNRM  Designer. 

3.  VNRM  EXPLORER 

The  VNRM  Explorer  provides  a  utility  to  help  manage,  build,  and  review  Visual  NRM  assurance 
argument  maps.  Its  interface,  shown  in  Fig.  1 1,  is  split  into  two  primary  windows.  The  window  on  the  left 
presents  the  project  management  hierarchy  in  the  TreeView  form  familiar  to  users  of  Microsoft's 
Windows/NT  Explorer.  The  window  on  the  right  presents  additional  information  about  the  node  of  the 
hierarchy  chosen,  and  highlighted,  on  the  left.  Fig.  1 1  also  shows  the  definition  of  the  term  downgrade  in 


the  Downgrader  project  dictionary.  But  we  are  getting  ahead  of  ourselves.  Let's  first  describe  the  structure 
of  the  project  management  hierarchy. 


m,  VNEM  Explorer 
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Fig.  11-VNRM  Explorer  interface 


The  top-level  of  the  VNRM  hierarchy,  Projects,  is  split  into  a  Global  Dictionary  and  a  list  of  projects 
currently  under  construction  Fig.  11  shows  three  projects  -  Downgrader,  Network  Pump,  and  Traffic 
Lights  —  of  which  only  Downgrader  is  opened  for  viewing.  The  Global  dictionary  defines  terms  that  must 
be  used  consistently  across  all  projects.  Although  the  Visual  NRM  toolset  does  not  ensure  their  consistent 
application,  it  does  ensure  that  users  are  aware  of  when  globally  defined  terms  conflict  with  terms  defined 
local  to  a  project.  All  terms  are  highlighted  when  used  in  VNRM  argument  maps,  indicating  that  their 
special  meaning  is  defined  in  either  the  global  or  a  project-local  dictionary. 
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Each  project  in  the  hierarchy  has  three  branches  -  Designer,  Dictionary,  and  Documentor  -  which 
organizes  the  development  artifacts  associated  with  each  tool.  The  Dictionary  branch  contains  the  set  of 
terms  defined  local  to  the  project.  When  more  than  10  terms  are  defined,  a  classification  is  automatically 
created  to  help  more  easily  locate  terms  of  interest.  Fig.  11  shows  the  partitioning  of  the  Downgrader 
project's  dictionary  into  a-m,  n-z,  and  one  for  terms  starting  with  nonalphabetic  characters.  The 
Documentor  branch  simply  lists  the  set  of  textual  (Microsoft  Word)  reports  that  have  been  produced  to 
describe  the  VNRM  maps  produced.  We  next  describe  the  Designer  branch,  which  is  where  most  of  the 
work  of  producing  VNRM  maps  takes  place.  VNRM  Desktops  does  not  currently  have  its  own  branch, 
but  can  be  accessed  from  the  Tools  menu  to  be  discussed  later. 

The  Designer  branch  contains  the  primary  development  artifacts  associated  with  the  graphical 
elements  of  Visual  NRM  maps.  Designer  documents,  at  the  top-level,  contain  a  set  of  pages,  at  the  next 
level,  which,  in  turn,  each  contain  a  set  of  shapes.  As  shown  in  Fig.  11,  the  Downgrader  project  is  split 
into  five  documents,  Secure  Downgrade  and  one  for  each  of  the  NRM  security  disciplines.  The 
Personnel  Security  document  is  split  into  four  pages.  The  page  of  the  same  name  is  the  root  claim  tree, 
indicated  by  it  bold  formatting.  This  page  forms  the  top  level  of  the  claim  tree  hierarchy  in  the  document; 
all  other  pages  in  the  document  describe  subtrees  of  the  top  level.  Finally,  Fig.  11  shows  the  shapes  and 
corresponding  shape  labels  that  appear  on  the  DO  Trustworthy  page.  Clicking  these  shapes  show  their 
contained  text  on  the  right.  Designer  documents,  pages,  and  shapes  correspond  to  Visio  documents, 
pages,  and  shapes,  as  will  become  apparent  in  section  4  on  the  VNRM  Designer. 

The  VNRM  Explorer  maintains  many  of  the  Windows/NT  conventions  for  adding,  deleting,  and 
renaming  nodes  within  the  TreeView  hierarchy.  Nodes  can  be  added  using  the  insert  and  delete  keys. 
Nodes  that  permit  modification  can  be  renamed  in-line  by  double-clicking  the  node,  typing  the  new  name, 
and  hitting  return.  Certain  nodes  of  the  VNRM  Explorer  hierarchy  cannot  be  added,  deleted,  or  renamed 
within  the  Explorer,  even  though  one  might  think  they  should  be.  In  particular,  the  page  and  shape  nodes 
of  the  Designer  branch  for  a  project  can  only  be  modified  within  VNRM  Designer. 

The  rest  of  this  section  describes  the  functions  provided  by  the  VNRM  Explorer.  The  functions  are 
largely  organized  according  to  the  menu  item  in  which  they  can  be  invoked.  Each  function  description 
includes,  as  appropriate,  preconditions  of  use,  results  of  execution,  additional  means  of  invocation,  and 
future  enhancements.  If  the  function  can  be  invoked  via  the  toolbar,  the  toolbar  icon  representing  the 
function  is  displayed.  Since  Visual  NRM  is  an  evolving  prototype,  certain  functions  may  not  yet  be 
implemented.  We  describe  these  future  enhancements  to  provide  a  more  complete  picture  of  where  Visual 
NRM  is  going. 

3.1.  File  Menu 

3.1.1 .  New 

rm  The  New  menu  item  creates  a  new  VNRM  project,  Designer  document,  Dictionary  term,  or 
I  I  Documentor  document.  The  type  of  object  created  depends  on  which  node  of  the  TreeView  is 
I  I!J :!S!y-t  highlighted  at  the  time.  Select  Projects  or  a  specific  project  when  adding  a  new  project;  do 
likewise  to  add  the  other  types  of  objects.  In  the  case  of  a  Designer  or  Documentor  document,  New  brings 
up  the  Properties  dialog  for  identifying  various  attributes  of  the  object  (section  3.1.3)  and  then  invokes 
Designer  (section  3.4.1)  or  Documentor  (section  3.4.4),  as  appropriate.  In  all  cases,  New  creates  the  new 
entry  in  the  TreeView  and  gives  it  a  default  name.  The  name  can  be  changed  by  double  clicking  the  item 
and  editing  it  in-line.  New  can  also  be  invoked  by  depressing  Ctrl-N  or  the  Insert  key,  or  by  right-clicking 
an  object  of  the  type  you  wish  to  insert. 


3.1.2.  Delete 


The  Delete  menu  item  deletes  a  VNRM  project,  Designer  document,  Dictionary  term,  or 
f  Documentor  document.  Delete  removes  the  node  currently  highlighted  in  the  TreeView 

jpff  ■■■■■■■'■  »  hierarchy,  provided  it  is  one  of  the  four  types  list  above.  Since  there  is  no  undo  for  the  Delete 
operation,  it  asks  for  confirmation  before  it  actually  deletes  an  object.  Delete  can  also  be  invoked  by 
depressing  Ctrl-D  or  the  Delete  key,  or  by  right-clicking  an  object  of  the  type  you  wish  to  insert. 


3.1.3.  Properties 

a  The  Properties  menu  item  allows  the  user  to  assign  various  attributes  to  VNRM  projects 
and  documents.  Properties  bring  up  a  dialog  box  in  which  the  user  assigns  values  to  the 
attributes  of  the  project  or  document  selected  in  the  TreeView.  These  attributes  identify  these 
objects  and  are  used  to  automatically  fill-in  parameters  of  a  (MS  Word)  template  used  to  create 
Documentor  documents.  The  Properties  dialog  also  arises  when  a  new  document  is  created  so  that 
proper  initial  values  can  be  attributed. 

3.1.4.  Set  Root  Page 

The  Set  Root  Page  menu  item  identifies  the  root  page  of  a  Designer  document.  The  root  page  is 
needed  in  the  Documentor  as  a  starting  point  for  importing  the  pages  of  a  Designer  document  as  a  distinct 
chapter  of  an  MS  Word  document.  VNRM  Explorer  indicates  the  current  root  page  of  a  document  by 
formatting  its  name  in  bold  font.  Set  Root  Page  can  also  be  invoked  by  depressing  Ctrl-R  or  by  nght- 
clicking  on  the  page  to  be  set. 


■  The  Print  menu  item  is  currently  not  implemented.  We  plan  to  permit  the  user  to  print 
portions  of  VNRM  maps  directly  from  the  VNRM  Explorer.  Currently,  the  user  needs  to  open 
_ _  up  VNRM  Designer  or  VNRM  Documentor  to  print  the  maps. 

3.1.6.  Exit 

The  Exit  menu  item  terminates  the  VNRM  Explorer  session.  Exit  can  also  be  invoked  by  depressing 
Ctrl-E  or  clicking  on  the  X  in  the  upper  right-hand  comer  of  the  VNRM  Explorer  interface. 

3.2.  Edit  Menu 


The  Undo  menu  item  undoes  the  last  Cut  (section  3.2.2)  or  Paste  (section  3.2.4)  operation 
performed.  If  Cut  or  Paste  was  not  previously  invoked.  Undo  has  no  effect.  Undo  can  also  be 
invoked  by  depressing  Ctrl-Z. 


”■■■•  The  Cut  menu  item  cuts  highlighted  text  from  a  dictionary  definition  that  is  displayed  on 

.sJjjtf.L ::  the  right  window  in  the  VNRM  Explorer.  The  text  that  is  deleted  is  stored  in  the  system 
;/  0  clipboard  so  that  a  subsequent  Past©  (section  3.2.4)  inserts  the  cut  text  at  the  current  cursor 
position.  If  a  dictionary  entry  is  not  displayed  with  text  highlighted,  Cut  has  no  effect.  We  plan  to 
enhance  the  Cut  function  to  apply  to  shape  text  accessible  from  VNRM  Explorer.  Cut  can  also  be 
invoked  by  depressing  Ctrl-X. 
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3.2.3.  Copy 

I _Q__  The  Copy  menu  item  stores  in  the  system  clipboard  the  highlighted  text  from  a  dictionary 

13  ]  definition  that  is  displayed  on  the  right-hand  window  in  the  VNRM  Explorer.  The  stored  text  is 

available  to  a  subsequent  Paste  (section  3.2.4),  which  inserts  the  stored  text  at  the  current 
cursor  position.  If  a  dictionary  entry  is  not  displayed  with  text  highlighted,  Copy  has  no  effect.  We  plan 
to  enhance  the  Copy  function  to  apply  to  shape  text  accessible  from  VNRM  Explorer.  Copy  can  also  be 
invoked  by  depressing  Ctrl-C. 

3.2.4.  Paste 


The  Paste  menu  item  inserts  text  at  the  current  cursor  position  of  the  dictionary  definition 
that  is  displayed  on  the  right-hand  window  in  the  VNRM  Explorer.  The  text  inserted  is  that 
stored  in  the  system  clipboard  at  the  time  of  the  Paste,  as  a  result  of  a  previous  Cut  (section 
3.2.2)  or  Copy  (section  3.2.3)  operation.  If  a  dictionary  entry  is  not  displayed  with  the  cursor  positioned, 
Paste  has  no  effect.  We  plan  to  enhance  the  Paste  function  to  apply  to  shape  text  accessible  from 
VNRM  Explorer.  Paste  can  also  be  invoked  by  depressing  Ctrl-V. 


3.2.5.  Find 


The  Find  menu  item  is  not  currently  implemented.  We  plan  to  permit  the  user  to  find 
strings  that  occur  in  the  definition  of  terms  in  dictionaries  or  in  shape  text.  This  function  will  be 
useful  for  ensuring  that  terms  are  used  consistently  or  for  applying  a  format  to  particular  string. 


3.2.6.  Format  Menu 


3.2.6.I.  Bold,  Italics,  Underline,  Small  Caps 


B  1  U  Abc 

definition.  If  a  dictionary  entry  is  not 
These  format  commands  will  also 
respectively. 


The  Format  menu  items  are  not  currently  implemented.  We 
plan  to  provide  functions  to  format  (embolden,  italicize,  underline, 
or  small  capitalize,  respectively)  highlighted  text  from  a  dictionary 
displayed  with  text  highlighted,  the  operations  will  have  no  effect, 
be  invocable  by  depressing  Ctrl-B,  Ctrl-1,  Ctrl-U,  or  Ctrl-S, 


33.  View  Menu 


3.3.1.  Toolbar/Status  Bar 

The  Toolbar  and  Status  Bar  menu  items  determine  whether  the  Toolbar  and  Status  Bar  in  the 
VNRM  Explorer  are  visible  or  not.  The  default  is  that  both  bars  are  visible.  The  bars  are  visible  only 
when  their  corresponding  menu  items  are  checked.  Clicking  one  of  the  menu  items  when  unchecked 
makes  that  bar  visible  and  checks  the  menu  item.  Clicking  a  checked  menu  item  makes  that  bar  invisible 
and  unchecks  the  menu  item.  We  plan  to  enhance  the  status  bar  to  include  more  useful  information 
regarding  the  status  of  particular  operations.  The  visibility  of  the  Toolbar  and  Status  Bar  can  also  be 
toggled  using  the  function  key  F9  and  Ctrl-F9,  respectively. 

3.3.2.  Small/Large  Icons 

The  Small  Icons  and  Large  Icons  menu  items  determine  the  size  of  the  toolbar  and  TreeView  cons 
and  corresponding  text.  Large  icons  are  useful  for  demonstrations  to  other  individuals.  Small  icons  are 
useful  for  reducing  the  amount  of  space  that  the  VNRM  Explorer  takes  up  on  the  screen.  Small  icons  are 
the  default.  The  check  indicates  which  size  is  chosen.  The  user  can  toggle  between  small  and  large  icons 
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by  clicking  on  the  menu  item  that  is  currently  not  checked.  Clicking  a  checked  menu  item  has  no  effect. 
Small  Icons  can  also  be  invoked  by  depressing  the  F1 1  function  key;  Large  Icons  can  be  invoked  by 
depressing  Ctrl-F1 1 . 


3.33.  Go  Back  Leaf  Node/Go  Forward  Leaf  Node 


The  Go  Back  Leaf  Node  and  Go  Forward  Leaf  Node  allows  the  user  to  re¬ 
visit  previously  selected  leaf  nodes  in  the  VNRM  Explorer  TreeView,  similar  to  the 

. mmm  [[[[[nr.[[  Back  and  Forward  functions  of  most  WWW  browsers.  If  no  earlier  leaf  nodes  are 

visited.  Go  Back  Leaf  Node  has  no  effect;  similarly,  if  no  later  nodes  are  visited,  Go  Forward  Leaf 
Node  has  no  effect.  These  operations  can  also  be  invoked  by  depressing  the  function  keys  FI  2  and  Ctrl- 
F1 2,  respectively. 


3.3.4.  Show  Brief/Long  Descriptions 

r_ _ ffrrfif  The  Show  Brjef  Descriptions  and  Show  Long  Descriptions  menu  items 

fc;  ==  EE  determine  whether  the  shape  text,  when  displayed  in  the  right  window  of  the  VNRM 
Explorer,  is  the  brief  (summary)  description  or  the  long  (detailed)  description.  A 
longer  description  is  useful  in  some  cases  where  a  complete  description  of  a  shape  type,  e.g.,  a  claim,  is 
not  easily  displayed  in  the  confines  of  a  graphical  shape  that  must  be  presented  in  the  context  of  a  larger 
VNRM  argument  map.  Brief  descriptions  are  the  default.  The  check  indicates  whether  brief  or  long 
descriptions  are  chosen.  The  user  can  toggle  between  brief  and  long  descriptions  by  clicking  on  the  menu 
item  that  is  currently  not  checked.  Clicking  a  checked  menu  item  has  no  effect. 


3.3.5.  Refresh 

The  Refresh  menu  item  refreshes  the  VNRM  Explorer  interface.  Refresh  can  also  be  invoked  by 
depressing  Ctrl-R. 

3.3.6.  Options 

The  Options  menu  item  is  currently  not  implemented.  We  plan  to  provide  a  capability  to  customize 
the  user  interface  and  default  settings  via  an  Options  dialog  box.  This  function  will  also  be  invocable  by 
depressing  Ctrl-O. 

3.4.  Tools  Menu 


3.4.1.  VNRM  Designer 

The  VNRM  Designer  menu  item  starts  VNRM  Designer  (section  4),  loading  the  Designer 
object  currently  highlighted  in  the  TreeView  hierarchy.  If  a  project  is  highlighted,  all  the 
Designer  documents  in  that  project  are  loaded.  Invoking  Designer  on  objects  that  are  not 
Designer  objects  has  no  effect.  If  VNRM  Designer  is  already  executing,  this  command  just  loads  the 
indicated  objects  into  the  existing  session,  unless  they  are  already  loaded.  Designer  can  also  be  invoked 
by  depressing  the  FI  function  key  or  by  right-clicking  on  the  project  or  document  to  be  edited.  This 
function  assumes  the  availability  of  Visio  Professional. 


3.4.2.  VNRM  Desktops 


The  VNRM  Desktops  menu  item  performs  the  Designer  operation  (section  3.4.1), 
followed  by  starting  VNRM  Desktops  (section  5),  if  necessary,  and  loading  the  desktops  for  the 
project  loaded  into  VNRM  Designer.  Desktops  can  also  be  invoked  by  depressing  the  F2 
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function  key  or  by  right-clicking  on  the  project  or  document  whose  desktops  are  of  interest. 

3  A3.  VNRM  Dictionary 

HThe  VNRM  Dictionary  menu  item  starts  VNRM  Dictionary  (section  6),  if  necessary,  and 
loads  the  dictionary  terms  of  the  project  currently  highlighted  in  the  TreeView  hierarchy.  If  an 
object  of  a  project  is  highlighted,  Dictionary  loads  the  terms  for  that  project.  If  an  element  of 
the  IGlobal  branch  is  highlighted,  Dictionary  loads  the  terms  from  the  Global  Dictionary.  Dictionary  can 
also  be  invoked  by  depressing  the  F3  function  key  or  by  right-clicking  on  the  project  whose  dictionary  is 
of  interest. 

3AA.  VNRM  Documentor 

The  VNRM  Documentor  menu  item  starts  VNRM  Documentor  (section  7),  loading  the 
Documentor  object  currently  highlighted  in  the  TreeView  hierarchy.  Invoking  Documentor  on 
objects  that  are  not  Documentor  objects  has  no  effect.  If  VNRM  Documentor  is  already 
executing,  this  command  just  loads  the  indicated  objects  into  the  existing  session,  unless  they  are  already 
loaded.  Documentor  can  also  be  invoked  by  depressing  the  F4  function  key  or  by  right-clicking  on  the 
Documentor  document  of  interest.  This  function  assumes  availability  of  Microsoft  Word  97. 

3A.5.  World  Wide  Web  Menu 


3.4.5.1.  Generate  HTML 

The  Generate  HTML  menu  item  generates  HTML  for  the  object  currently  highlighted  in 
the  TreeView  hierarchy.  If  the  Designer  node  is  highlighted,  this  command  generates  HTML 
for  all  of  the  Designer  documents  under  that  node.  If  a  particular  Designer  or  Documentor 
document  is  highlighted,  this  command  generates  HTML  for  that  document.  Generate  HTML  can  also 
be  invoked  by  depressing  the  F5  function  key  or  by  right-clicking  on  the  Designer  node  or  the  document 
of  interest.  This  function  assumes  availability  of  Visio  Professional  and  SolutionSoft's  WordToWeb 
HTML  generator. 

3.4.5.2.  View  HTML 

The  View  HTML  menu  item  views  the  HTML  for  the  object  currently  highlighted  in  the 
TreeView  hierarchy,  provided  the  HTML  was  previously  generated  using  Generate  HTML 
(section  3.4.5. 1).  If  the  Designer  node  is  highlighted,  this  command  views  HTML  for  all  of  the 


Designer  documents  under  that  node.  If  a  particular  Designer  or  Documentor  document  is  highlighted, 
this  command  views  HTML  for  that  document.  If  no  HTML  was  previously  generated  for  the  object,  this 
command  has  no  effect.  View  HTML  can  also  be  invoked  by  depressing  the  F6  function  key  or  by  right- 
clicking  on  the  Designer  node  or  the  document  of  interest.  This  function  assumes  the  availability  of  an 
HTML  viewing  capability. 

3.4.5 3.  Home  Page 

The  Home  Page  menu  item  hyperlinks  to  the  Visual  NRM  Project  home  page.  Although 
this  page  is  currently  under  construction,  we  plan  to  eventually  permit  access  to  Visual  NRM 
tools,  documentation,  and  Visual  NRM  applications.  Home  Page  can  also  be  invoked  by 
depressing  the  F7  function.  This  function  assumes  the  availability  of  an  Internet  browsing  capability. 

3.4.5.4.  Search  WWW 

The  Search  WWW  menu  item  provides  access  to  a  generic  internet  search  engine.  We 
plan  to  provide  a  specific  function  to  help  download  information  from  the  Internet  directly  into 
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Visual  NRM  argument  maps,  as  appropriate,  for  the  argument  under  construction.  Search  WWW  can 
also  be  invoked  by  depressing  the  F8  function.  This  function  assumes  the  availability  of  an  Internet 
browsing  capability. 

3.5.  Help  Menu 

3.5.7.  User  Guide 

The  User  Guide  menu  item  brings  up  a  hypertext  version  of  this  document.  This  document  can  also 
be  invoked  by  depressing  Ctrl-G.  This  function  assumes  the  availability  of  an  HTML  viewing  capability. 

3.5.2.  Search  For  Help  On. . . 

The  Search  For  Help  On  menu  item  is  not  currently  implemented.  We  plan  to  include  an 
||Mjf  MS  Windows/NT-like  help  facility.  This  facility  will  also  be  invocable  by  depressing  Ctrl-H. 

3.5.3. 

3.5.4.  About  VNRM  Explorer. . . 

The  About  VNRM  Explorer  menu  item  provides  additional  information  about  the  tool.  It  can  also  be 
invoked  by  depressing  Ctrl-A. 

4.  VNRM  DESIGNER 

VNRM  Designer  uses  the  Visio  extensible  drawing  package  to  create  and  analyze  the  graphical 
portion  of  Visual  NRM  argument  map  for  a  VNRM  project.  Fig.  12  depicts  the  Visio  interface 
customized  with  VNRM  Designer  specific  functions.  The  VNRM  Designer  stencil  appears  in  the  upper 
left-hand  comer  of  the  figure.  Users  drag  and  drop  shapes  into  document  pages  shown  in  the  body  of  the 
interface.  A  string  of  the  form  document  name:  page  name  identifies  each  document  page  in  its  title 
bar.  Fig.  12  displays  pages  from  three  documents:  Information  Downgrader,  Technology  Security, 
and  Physical  Security.  Document-level  partitioning  forms  the  highest  level  decomposition  of  the 
assurance  argument  to  be  mapped.  Pages  partition  the  problem  within  a  document  at  the  next  level  down. 
A  good  partitioning  is  important  for  managing  complexity  and,  also,  as  we  will  see  in  section  7,  for  semi- 
automatically  producing  structured  textual  documents  describing  the  mapping. 

VNRM  Designer  functions  are  accessible  from  the  Visio  interface  through  either  the  Designer  menu 
or  toolbar  icons  on  the  Standard  toolbar.  The  rest  of  this  section  describes  the  functions  available  to  build 
Visual  NRM  maps.  Each  function  description  includes,  as  appropriate,  preconditions  of  use,  the  results  of 
execution,  additional  means  of  invocation,  and  future  enhancements.  If  the  function  can  be  invoked  via 
the  toolbar,  the  toolbar  icon  representing  the  function  is  displayed.  Since  Visual  NRM  is  an  evolving 
prototype,  certain  functions  may  not  yet  be  implemented.  We  describe  these  future  enhancements  to 
provide  a  more  complete  picture  of  where  Visual  NRM  is  going.  We  do  not  describe  Visio-specific 
functions,  but  refer  the  reader  to  the  Visio  documentation.  However,  since  this  function  is  crucial  to  using 
the  VNRM  Designer,  we  illustrate  in  the  section  2  tutorial  how  Visio-specific  functions  are  used  in 
combination  with  the  custom  function  to  accomplish  common  tasks. 
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4.1.  Designer  Menu 


4.1.1.  Save  All 


The  Save  All  menu  item  saves  all  the  Designer  documents  currently  loaded  into  VNRM 
Designer.  Since  the  Visual  NRM  Database  (VNDB)  is  being  updated  continuously  as  you  edit 
Designer  documents,  it  is  important  to  always  save  everything  after  editing.  If  there  are 
elements  that  really  should  not  be  saved,  the  user  can  either  save  and  then  undo  the  changes  individually 
or  not  save  and  perform  the  Resynchronize  VNDB  function  (section  4.1.12).  Note:  this  is  clearly 
unacceptable;  future  versions  will  improve  the  user's  ability  to  undo  operations  performed. 

4.1.2.  View  Spine  (Blue  Eye) 

The  View  Spine  menu  item  hides  all  except  the  spine  of  the  argument.  The  spine  includes 
all  shapes  that  have  a  blue  outline,  i.e.,  Objectives,  Threats,  Claims,  And/Or,  and  links  of  these 
shapes.  Abstracting  away  all  but  the  essential  elements  of  an  argument  map  may  be  helpful  for 
focusing  on  specific  properties  of  the  map. 


j  VHRM  Designer  Visio 
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4.1.3.  View  Flesh  (Green  Eye) 

PM  The  View  Flesh  menu  item  hides  an  arguments  assumption  validation,  showing  only  the 
spine  and  flesh  of  the  argument.  The  flesh  includes  all  shapes  that  have  a  green  outline,  i.e., 
mBSM  Models,  Reasoning,  Strategy,  and  links  of  these  shapes.  The  spine  includes  all  shapes  made 
visible  by  View  Spine  (section  4.1.2).  Abstracting  away  the  assumption  validation  layer  of  an  argument 
map  may  be  helpful  for  focusing  on  specific  properties  of  the  map. 

4.1.4.  View  Validation  (Red  Eye) 

jsyiH|l  The  View  Validation  menu  item  shows  the  whole  argument  map  -  the  spine,  flesh,  and 
J  assumption  validation.  The  assumption  validation  layer  includes  Assumptions  and  the 
validation  shape,  which  have  a  red  outline.  Once  an  Assumption  is  validated  it  becomes  a 
Dependency  shape,  which  is  part  of  the  flesh.  The  spine  and  flesh  includes  all  shapes  made  visible  by 
View  Flesh  (section  4.1.3).  Viewing  all  layers  is  needed  to  get  a  complete  picture  of  an  argument  map. 

4.1.5.  Label  Shapes 

PJWJ  The  Label  Shapes  menu  item  labels  all  of  the  graphical  shapes  that  appear  in  the  stencil 
jjjjgfl  1  III  except  for  And/Or  shapes.  Labels  are  uniquely  assigned  as  a  three-letter  abbreviation  of  the 
BjJ  shape  type  followed  by  a  number.  Shapes  can  be  labeled  in  a  depth-first  or  breadth-first 
manner,  depending  on  the  Options  setting  (section  4.1.11).  The  appropriate  setting  depends  largely  on 
whether  the  argument  map  is  to  be  presented  in  a  depth-first  or  breadth-first  manner.  The  default  is 
breadth-first  labeling. 

This  function  labels  Validation  shapes  and  those  connectors  whose  labels  cannot  be  determined  from 
their  direct  pair-wise  connections,  e.g.,  the  label  of  a  Claim-to-And  connection  depends  on  the  shapes  to 
which  the  And  is  connected.  As  a  side  effect  of  labeling  the  Validation  shapes,  each  Assumption  shape 
that  is  validated  transforms  into  a  Dependency  shape,  which  is  part  of  the  argument  flesh.  Likewise,  each 
Dependency  shape  that  is  not  validated  transforms  into  an  Assumption  shape,  which  is  part  of  the 
argument  validation. 

4.1.6.  Add  Hyperlink 

■BE  The  Add  Hyperlink  menu  item  attaches  a  button  to  a  shape  that  can  be  assigned  an 

jtl  arbitrary  URL  or  file  hyperlink.  As  long  as  the  web  browser  used  can  understand  the  link  type, 
i|  users  can  traverse  the  link  to  more  information  pertaining  to  the  shape,  e.g.,  more  detailed 
specifications  or  evidence  regarding  the  assurance  argument.  To  add  a  hyperlink,  select  the  shape  to  be 
hyperlinked  and  invoke  the  Add  Hyperlink  function.  The  button  can  then  be  double-clicked  to  assign  the 
link  initially.  Changes  to  the  link  can  be  made  by  right-clicking  the  button  to  edit  the  link,  as  usual  in 
Visio.  Links  can  be  made  to  external  files  or  URLs  by  editing  the  Link  to  File  or  URL  textbox,  or  to 
pages  within  the  same  Designer  document,  by  editing  the  Named  location  in  file  textbox.  In  the  latter 
case,  VNRM  Designer  has  already  assigned  the  document  name  in  the  first  textbox.  Intuitive  screen  tips 
can  also  be  provided  in  the  Descriptive  name  of  link  textbox.  Once  assigned,  the  link  can  be  followed 
by  double  clicking. 

4.1.7.  Deselect  All 

The  Deselect  All  menu  item  deselects  all  shapes  in  all  pages  of  all  documents  currently 
loaded  into  VNRM  Designer.  This  function  is  a  useful  precursor  to  Validate  Assumption 
(section  4.1.8),  since  that  function  requires  that  only  those  shapes  participating  in  a  validation 
be  selected. 
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4.1.8.  Validate  Assumption 

BThe  Validate  Assumption  menu  item  designates  the  claims  or  evidence  in  one  part  of  an 
argument  map  that  validates  an  assumption  in  another  part  of  the  map.  The  user  must  select  the 
validated  Assumption  shape  and  the  validating  Claim  or  Evidence  shapes,  and  only  those 
shapes,  before  invoking  Validate  Assumption.  Invoking  Deselect  All  (section  4.1.7)  before  selecting 
the  shapes  that  participate  in  a  validation  will  help  to  ensure  that  only  the  desired  shapes  are  selected. 
Validate  Assumption  labels  the  Validation  shapes  and  sets  up  all  of  the  necessary  hyperlinks  between 
the  Validation  shapes.  To  ensure  that  labeling  is  current,  the  user  may  need  to  invoke  Label  Shapes 
(section  4.1.5). 


4.1.9 .  VNRM  Dictionary 

HThe  VNRM  Dictionary  menu  item  starts  VNRM  Dictionary  (section  6)  and  loads  the 
dictionary  terms  of  the  project  currently  loaded  into  VNRM  Designer.  Dictionary  terms  are 
highlighted  in  shape  text.  The  addition  or  deletion  of  dictionary  terms  updates  this  highlighting. 


4.1.10.  VNRM  Desktops 


The  VNRM  Desktops  menu  item  starts  VNRM  Desktops  (section  5)  and  loads  the  virtual 
desktops  defined  for  the  project  currently  loaded  into  VNRM  Designer.  This  permits  adding  or 
deleting  desktops  from  the  database  and  moving  between  desktops  in  the  VNRM  Designer. 


4.1.11.  Options 

The  Options  menu  item  presents  the  options  dialog  box.  Currently  only  the  choice  between 
depth-first  and  breadth-first  labeling  (section  4.1.5)  is  provided.  We  plan  to  provide  other 
options  for  customizing  VNRM  Designer  as  the  prototype  evolves. 


4.1.12.  Resynchronize  VNDB 


The  Resynchronize  VNDB  menu  item  refreshes  the  information  in  the  VNDB  relating  to  the  project 
currently  loaded  based  on  the  current  state  of  the  project  in  VNRM  Designer.  This  should  be  used  only  if 
the  database  has  been  corrupted,  perhaps  due  to  a  system  crash.  All  of  the  Designer  documents  for  a 
project  must  be  loaded  when  the  function  is  invoked.  Once  completed,  the  user  must  manually  Set  Root 
Page  (section  3.1.4)  for  every  document  in  the  project  in  VNRM  Explorer. 


4.1.13.  Re-Apply  Dictionary  Formatting 


The  Re-Apply  Dictionary  Formatting  menu  item  refreshes  the  VNRM  Designer  interface  by 
reapplying  the  dictionary  highlighting  for  all  shapes  currently  loaded.  This  should  only  be  done  if  the 
highlighting  becomes  inconsistent  with  the  current  state  of  the  dictionary. 


4.2.  Miscellaneous  Operations 


4.2. 1.  Adding  New  Document 

To  add  a  new  Designer  Document,  click  on  the  FilelNewIVnrmDesignerDrawing  menu  item.  This 
creates  and  opens  a  new  unnamed  document,  ready  for  editing.  Currently,  documents  can  be  renamed 
only  from  VNRM  Explorer.  If  VnrmDesignerDrawing  does  not  show  up  under  the  FilelNew  menu,  you 
need  to  place  the  VnrmDesignerDrawing. vst  file  from  the  VnrmXSesame  folder  into  your  VisioVSolutions 
folder,  and  restart  VNRM  Designer. 
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4.2.2 .  Saving  Documents 

Use  the  SaveAll  command  in  the  Designer  menu  item  to  save  all  the  documents.  To  save  an 
individual  document,  choose  the  document  to  be  saved  and  click  FilelSave.  Do  not  change  the  name  of 
the  document  using  FilelSave,  since  Visual  NRM  does  not  remember  changes  to  files  explicitly  created 
by  the  user. 

4. 2. 3.  Saving  Window  Settings 

To  save  a  page's  window  size  and  position  in  the  VNRM  Designer  interface,  right-click  anywhere  in 
the  window  that  is  not  already  occupied  by  another  shape  or  connection.  Select  Save  Window  Settings. 
The  next  time  you  invoke  that  window,  it  will  automatically  appear  with  that  size  and  position. 

4.2.4.  Restoring  Window  Settings 

To  restore  to  default  settings  a  page's  window  size  and  position  in  the  VNRM  Designer  interface, 
right-click  anywhere  in  the  window  that  is  not  already  occupied  by  another  shape  or  connection.  Select 
Restore  Window  Settings.  The  window  will  return  to  its  default  size  and  position. 

4. 2.5.  Adding  New  Page 

To  add  a  new  Designer  page  within  a  document,  click  on  the  InsertIPage  menu  item.  This  invokes  a 
dialog  box  with  three  tabs.  Click  the  Page  Properties  tab,  name  the  page  in  the  Name  text  box,  and 
click  the  Open  Page  in  New  Window  checkbox,  if  you  want  your  current  page  to  stay  open. 

4.2.6.  Opening  Page 

To  open  an  existing  Designer  page  within  a  document,  click  on  the  EditIGo  TolPage  menu  item. 
Click  the  page  you  want  to  open,  click  the  Open  Page  in  New  Window  checkbox  (if  you  want  your 
current  page  to  stay  open),  and  click  OK. 

4.2.7.  Changing  Page  Name 

To  change  the  name  of  a  page  within  a  document,  click  on  the  FilelPage  Setup  menu  item.  This 
invokes  a  dialog  box  with  five  tabs.  Click  the  Page  Properties  tab  and  change  the  name  in  the  Name 
text  box. 

4.2.8.  Deleting  Page 

To  delete  a  page  from  a  document,  chose  EditIDrawing  PagelDelete  Page  and  select  the  page  to  be 
deleted  from  the  dialog  box  that  appears.  This  operation  cannot  be  reversed  so  make  sure  you  delete  the 
right  page. 

4.2.9.  Size  Page  to  Fit  Drawing 

To  re-size  a  page  to  fit  tight  around  a  drawing,  click  on  the  FilelPage  Setup  menu  item.  This 
invokes  a  dialog  box  with  five  tabs.  Click  the  Page  Size  tab  and  check  the  Size  Page  to  Fit  Drawing 
checkbox.  This  is  useful  for  making  the  most  out  of  the  space  you  have  available  while  viewing  the  whole 
page. 
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4.2.10.  Page  Zooming 

Visio  provides  various  Zooming  capabilities  under  the  View  menu  item.  Choose  the  Zoom  level  that 
best  fits  your  preference.  Choosing  Whole  Page  followed  by  sizing  the  page  to  fit  the  drawing  (section 
4.2.9)  is  nice  for  getting  the  most  out  of  the  screen  real  estate. 

4.2.11.  Aligning  Shapes 

To  align  shapes,  select  the  shapes  to  be  aligned  and  click  the  Toolsl Align  Shapes  menu  item.  Select 
the  type  of  alignment  desired  from  the  dialog  box  that  appears. 

4.2.12.  Distributing  Shapes 

To  distribute  shapes  on  a  page,  select  the  shapes  to  be  distributed  and  click  the  Toolsl  Distribute 
Shapes  menu  item.  Select  the  type  of  distribution  desired  from  the  dialog  box  that  appears. 

4.2.13 .  Selecting  Multiple  Shapes 

Multiple  shapes  can  be  selected  by  holding  down  the  Shift  key  as  you  select  the  shapes  desired.  Visio 
also  supports  rubber-banding  by  dragging  a  selection  box  around  the  shapes  you  wish  to  select.  Shift¬ 
clicking  a  selected  shape  deletes  the  shape  from  a  collection  of  selected  shapes. 

4.2.14.  Removing  Validation 

To  remove  an  individual  Validation  shape  from  a  Validation  Stack,  right-click  the  shape  to  be  deleted 
and  choose  Remove  Validation  from  the  pop-up  menu  that  appears.  If  only  one  validation  shape  is  in  the 
Validation  Stack,  this  operation  is  equivalent  to  Remove  Validation  Stack  (section  4.2.15). 

4.2.15.  Removing  Validation  Stack 

To  remove  a  shape’s  Validation  Stack,  right-click  the  shape  to  which  the  stack  is  attached  and  choose 
Remove  Validation  Stack  from  the  pop-up  menu  that  appears.  This  operation  will  transform 
Dependency  shapes  into  Assumptions  shapes  upon  the  next  re-labeling  (section  4.1.5). 

4.2.16.  Editing  Long  Description 

Users  can  enter  brief  summary  descriptions  of  a  shape  by  double-clicking  the  shape.  Sometimes  a 
more  detailed  description  is  necessary  to  fully  explain  the  purpose  of  the  shape.  To  enter  a  detailed 
description  of  a  shape,  right-click  the  shape  and  select  Edit  Long  Description  from  the  pop-up  menu. 
Enter  the  text  in  the  shape  just  as  when  entering  the  brief  summary.  When  finished,  click  the  X.  Although 
the  text  does  not  show  up  in  the  graphic,  it  has  been  stored  in  the  database  and  will  show  up  in  the  tables 
produced  using  the  VNRM  Documentor  (section  7). 

4.2.17.  Undoing  Operations 

There  is  currently  no  support  for  undoing  operations  performed.  All  undos  have  to  be  performed 
manually.  Using  the  Visio  undo  operation  is  dangerous  since  the  database  is  not  updated  to  reflect  the 
new  undone  state.  Invoking  the  Resynchronize  VNDB  (section  4.1.12)  command  makes  the  VNDB 
consistent  with  the  current  state  of  the  Designer. 
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5.  VNRM  DESKTOPS 

VNRM  Desktops  provides  a  virtual  desktops  function.  When  used  in  combination  with  VNRM 
Designer,  this  permits  associating  different  segments  of  an  assurance  argument  map  for  their 
simultaneous  elaboration  or  examination.  As  shown  in  Fig.  13,  the  VNRM  Desktops  interface  consists  of 
three  parts:  the  pull-down  menu,  the  desktops  list  box,  and  the  desktop  viewer.  The  figure  shows  a  virtual 
desktop,  called  DORestrictedDowngrade,  in  the  desktops  list  box  with  its  layout  shown  in  the  desktop 
viewer.  Desktops  are  selected  by  clicking  the  down  arrow  on  the  right-hand  side  of  the  list  box.  Desktops 
may  be  renamed  by  editing  the  name  in  the  desktops  list  box  in-line.  To  the  left  of  the  list  box  is  a  button 
that,  when  clicked,  invokes  the  pull-down  menu.  Each  page  in  the  desktop  viewer  also  has  a  pull-down 
menu  upon  clicking.  This  section  describes  the  functions  available  from  button  and  page  pull-down 
menus. 

5.1.  Button  Pull-Down  Menu 

To  invoke  the  Button  Pull-Down  Menu,  click  the  button  to  the  left  of  the  desktops  list  box. 

5.1.1.  Add 

The  Add  menu  item  creates  a  desktop  out  of  the  current  page  layout  in  the  VNRM  Designer  interface. 
Add  clears  the  desktops  list  box  permitting  the  user  to  enter  the  name  of  the  new  desktop.  Once  entered, 
the  user  must  hit  the  carriage  return.  Add  then  inserts  a  small-scale  version  of  the  current  VNRM 
Designer  page  layout  in  the  desktop  viewer.  Note  that  VNRM  Designer  must  be  running  when  Add  is 
called  or  an  error  is  generated. 


Fig.  13-VNRM  Desktops  interface 


5.1.2.  Delete 

The  Delete  menu  item  deletes  the  desktop  displayed  on  the  desktop  viewer  from  the  list  of  accessible 
desktops  and  loads  the  next  one  in  the  list,  if  any. 

5.2.  Page  Pull-Down  Menu 

To  invoke  the  Page  Pull-Down  Menu,  click  a  page  in  the  desktop  viewer. 
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5.2.1.  Remove  from  Desktop 

The  Remove  from  Desktop  menu  item  removes  the  page  selected  from  the  desktop  displayed  in  the 
desktop  viewer. 

5.2. 2.  Save  as  Default  Settings 

The  Save  as  Default  Settings  menu  item  saves  the  position  settings  for  the  page  selected  as  the 
default  page  position  setting.  This  default  is  used  as  the  initial  page  position  whenever  VNRM  Designer 
loads  the  page.  The  page  position  in  individual  desktops  may  vary  from  the  default  depending  on  the 
placement  of  the  page  when  the  desktop  was  added.  Save  as  Default  Settings  sets  the  page  position  in 
the  desktop  as  the  default. 

5.2.3.  Load  Default  Settings 

The  Load  Default  Settings  menu  item  changes  the  position  setting  for  the  page  selected  to  the 
default  page  position  setting.  This  default  is  used  as  the  initial  page  position  whenever  VNRM  Designer 
loads  the  page.  The  page  position  in  individual  desktops  may  vary  from  the  default  depending  on  the 
placement  of  the  page  when  the  desktop  was  added.  Load  Default  Settings  reverts  the  page  position  in 
the  desktop  to  the  default. 

6.  VNRM  DICTIONARY 

VNRM  Dictionary  is  a  compact  interface  for  reviewing,  extending,  or  revising  the  terms  and 
definitions  of  the  global  dictionary  or  a  project-local  dictionary  (see  section  2  for  the  distinction  between 
the  global  and  a  local  dictionary).  The  tool  provides  the  same  functions  as  those  provided  in  VNRM 
Explorer  for  accessing  the  dictionaries,  but  with  an  interface  that  has  a  smaller  footprint  for  convenient 
simultaneous  access  with  VNRM  Designer  or  VNRM  Documentor. 

As  shown  in  Fig.  14,  the  VNRM  Dictionary  interface  consists  of  three  parts:  the  pull-down  menu,  the 
term  list  box,  and  the  definition  text  box.  The  figure  shows  the  term  downgrade  highlighted  in  the  term 
list  box  with  its  definition  shown  in  the  definition  text  box.  Terms  and  their  definitions  are  selected  by 
clicking  the  down  arrow  on  the  right-hand  side  of  the  list  box  and  are  edited  in-line.  To  the  left  of  the  list 
box  is  a  button  which,  when  clicked,  invokes  the  pull-down  menu.  The  rest  of  this  section  describes  the 
functions  available  from  this  menu. 


Hi..  VNRM  Dictionary11 
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Fig.  14- VNRM  Dictionary  interface 


6.1.  Pull-Down  Menu 

To  invoke  the  Pull-Down  Menu,  click  the  button  to  the  left  of  the  term  list  box. 
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6.1.1.  Add 

Selecting  Add  from  the  pull-down  menu  clears  the  term  list  box,  permitting  the  user  to  type  in  the 
terms  to  be  added.  After  hitting  the  carriage  return  key,  the  term  is  added  to  the  dictionary  with  a  null 
definition.  Users  can  then  type  the  term’s  definition  in  the  Definition  text  box.  To  accept  the  definition, 
click  on  the  term.  Terms  may  not  currently  have  spaces  in  them.  To  define  phrases,  use  dashes  instead  of 
spaces. 

6.1.2.  Delete 

Selecting  Delete  from  the  pull-down  menu  deletes  the  term  that  appears  in  the  term  list  box.  Note 
that  this  deletes  the  definition  as  well.  To  rename  the  term  and  keep  the  same  definition,  simply  edit  the 
term  text  to  the  new  term  and  hit  the  carriage  return.  The  definition  can  be  modified  as  well,  but 
remember  that  to  accept  the  new  definition  you  need  to  click  on  the  term. 

6.1.3.  Undo 

Selecting  Undo  from  the  pull-down  menu  undoes  the  previous  pull-down  menu  operation.  An  Undo 
of  an  Add  operation  deletes  the  term  added.  Likewise,  an  Undo  of  a  Delete  operation  adds  the  term 
deleted.  An  Undo  of  an  Undo  operation  reverses  the  Undo.  Note  that  Undo  does  not  undo  changes  to  the 
definition  of  a  term.  Such  changes  must  currently  be  undone  manually. 

7.  VNRM  Documentor 

VNRM  Documentor  integrates  the  argument  maps  produced  using  VNRM  Designer  into  textual, 
Microsoft  Word  documents.  The  Word  document  is  based  on  a  template  that  takes  as  parameters  project 
and  document  properties  definable  in  VNRM  Explorer  (section  3.1.3).  The  Designer  document  structure 
and  claim  tree  hierarchy  of  the  map  can  be  used  to  layout  the  Word  document  automatically.  Fig.  15 
depicts  the  Word  interface  customized  with  VNRM  Documentor  specific  function.  The  figure  shows  a 
part  of  the  chapter  on  the  Personnel  Security  aspects  of  the  Downgrader  example.  VNRM  Documentor 
translates  the  hyperlinked  shapes  available  in  VNRM  Designer  as  Word  tables  that  specify  the  graphic 
index  and  page  number  to  which  each  shape  is  linked.  A  column  of  the  table  is  also  reserved  for  the 
detailed  description  of  shapes  that  are  permitted  in  VNRM  Designer  (section  4.2.14).  Documentor  cross- 
references  the  page  numbers  in  the  Word  document,  preserving  much  of  the  ease  of  navigation  provided 
by  Designer.  These  tables  are  maintained  using  VNRM  Documentor  functions  and  should  not  be  edited 
directly. 
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Fig.  15-VNRM  Documentor  interface  customizing  Microsoft  Word 

VNRM  Documentor  functions  are  accessible  from  the  Word  interface  through  either  the  Documentor 
menu  or  through  toolbar  icons  on  a  special  Visual  NRM  toolbar.  The  rest  of  this  section  describes  the 
functions  to  document  Visual  NRM  maps.  Each  function  description  includes,  as  appropriate, 
preconditions  of  use,  the  results  of  execution,  additional  means  of  invocation,  and  future  enhancements.  If 
the  function  can  be  invoked  via  the  toolbar,  the  toolbar  icon  representing  the  function  is  displayed.  Since 
Visual  NRM  is  an  evolving  prototype,  certain  functions  may  not  yet  be  implemented.  We  describe  these 
future  enhancements  to  provide  a  more  complete  picture  of  where  Visual  NRM  is  going.  We  do  not 
describe  Word-specific  functions,  but  refer  the  reader  to  the  Word  documentation 


7.1.  Documentor  Menu 


7.1.1.  Import  VNRM  Map 

BThe  Import  VNRM  Map  menu  item  allows  the  user  to  import  VNRM  Designer  pages  or 
whole  documents  into  the  VNRM  Documentor.  The  user  controls  the  importation  through  the 
dialog  box  shown  in  Fig.  16.  The  interface  provides  options  to  insert  Designer  documents  into 
separate  chapters  or  to  insert  document  pages  into  an  appendix.  The  first  option  lists  the  documents  that 
are  not  already  imported  in  the  window  on  the  left  of  the  interface.  The  user  selects  the  documents  to  be 
imported.  Once  submitted,  the  pages  of  each  document  are  imported,  in  the  order  selected,  into  a  chapter 
using  chapter  section  headings  to  reflect  the  hierarchy  of  the  pages.  Use  of  this  option  assumes  that  a  root 
page  is  set  for  each  document  (section  3.1.4).  The  second  option  lists  all  document  pages  that  are  not 
already  imported  in  the  left  window.  Again,  the  user  selects  the  pages  to  be  imported,  but,  once  submitted, 
the  pages  are  sequentially  attached  at  the  end  of  the  report. 

As  shown  in  Fig.  16,  the  user  also  has  the  option  of  automatically  or  manually  updating  the  fields 
within  the  report  generated.  The  fields  of  the  document  include,  among  other  things,  the  (Visio)  pages 
constructed  using  VNRM  Designer,  which  are  imported  as  OLE  links.  Although  automatic  update  keeps 
fields  automatically  consistent  with  modifications  to  the  pages  in  Designer,  the  overhead  associated  with 
this  automation  can  be  significant  for  nontrivial  argument  maps.  We,  therefore,  suggest  manual  database 
field  update  for  all  but  the  most  trivial  maps.  Users  update  fields  when  in  the  manual  mode  using  the 
Update  Fields  menu  item  described  in  section  7.1.4 


I  Select  page  s/do  cuinenis  to  be  imported 
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|  Secure  Downgrade 


of  Booument 


The  security  of  personnel  that  administer  and  protect  the  Down  grader.  iT  insert  document?  as  chapter  ::  C  Automatic  BB  Field  Update 


Fig.  16-Dialog  box  for  importing  VNRM  maps 

7. 1.2.  Identify  Project  (footprints) 

The  Identify  Project  menu  item  instantiates  various  fields  of  the  Word  document  template 
using  the  properties  identified  in  the  project  and  document  properties  dialog  (section  3.1 .3).  Not 
x  all  information  in  the  dialog  needs  to  be  completed  for  the  Idontify  Projact  function  to  be 
useful;  the  function  uses  whatever  information  is  available  to  instantiate  the  corresponding  document 
fields.  Users  may  also  instantiate  fields  manually  through  normal  Word  text  editing.  The  <  and  > 
characters  delimit  fields  in  the  document  template  that  may  be  instantiated  either  automatically  or 
manually. 
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7. 7.3.  Update  All  Tables 

if]  p_.  The  Update  All  Tables  menu  item  updates  all  of  the  tables  in  the  document  that  use  data 

|  EE  from  the  VNDB.  This  includes  the  tables  placed  after  each  page  imported  that  describe  the 
jHbsssbJ  hyperlink  cross-references  and  the  table  of  dictionary  terms,  if  one  has  been  generated  (section 
7.1.7),  which  is  usually  attached  at  the  end  of  the  report.  While  Update  Fields  (section  7.1.4)  updates  the 
fields  in  these  tables,  this  command  reconstructs  these  tables,  extending  them  as  required  by  the  current 
state  of  the  VNDB. 

7.1.4.  Update  Fields 

The  Update  Fields  menu  item  updates  all  of  the  fields  of  the  document  that  use  data  from 
the  VNDB.  This  includes  the  VNRM  Designer  pages,  which  were  imported  as  OLE  links,  and 
the  tables  placed  after  each  page,  which  describe  the  hyperlink  cross-references.  Note  that 
Update  Fields  does  not  extend  the  cross-reference  tables  to  include  additional  rows  indicated  by  the 
VNDB. 

7.1.5.  VNRM  Dictionary 

HThe  VNRM  Dictionary  menu  item  starts  VNRM  Dictionary  (section  6)  and  loads  the 
dictionary  terms  of  the  project  whose  document  is  currently  loaded  into  VNRM  Documentor. 


cP-i 
■  1 1 1 

1 ,14  I 


7.1.6.  Insert  Term  in  Dictionary 


The  Insert  Term  in  Dictionary  menu  item  adds  a  term  highlighted  in  the  Documentor 
document  to  the  project  local  dictionary.  The  function  invokes  VNRM  Dictionary  with  the  term 
inserted,  ready  for  the  user  to  define  the  term.  If  the  term  is  already  defined,  its  current 
definition  is  displayed.  Remember  that  terms  may  not  have  any  spaces;  dashes  can  be  used  instead. 


7.1.7.  Update  Dictionary  Table 

0The  Update  Dictionary  Table  menu  item  updates  the  document's  table  of  dictionary 
1  terms.  The  table  includes  dictionary  terms  of  the  project  whose  document  is  currently  loaded 
11  into  VNRM  Documentor.  If  the  document  contains  no  dictionary  table,  one  is  inserted  at  the 
end  of  the  document.  If  no  terms  are  defined,  the  Update  Dictionary  Table  generates  an  error. 
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COMPLETE  DOWNGRADER  REFINEMENT 


Term 

Definition 

DO 

Downgrade  Officer 

downgrade 

moving  information  from  one  classification  level  to  a  lower  classification  level 

High 

a  classification  level  that  dominates  Low 

Low 

a  classification  level  dominated  by  High 

IBB 

■ 

Hit 

Fig.  Al-Downgrader:  The  Problem 
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Fig.  A4-Physical  Security:  Physical  Access 
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DemonstratedBy 
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background  \ 
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training  by  \ 
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investigated  by  \ 
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experienced  \ 
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experienced  \ 

personnel  \ 
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personnel  when  j 

l  UJ 

when  hired  and  1 

IU 

hired  and  regularly  J 

\ 

regularly  every  J 

V 

every  5  years  J 

\ 

year  thereafter  / 

x 

thereafter  / 

V - X 

Fig.  A5-Personnel  Security:  DO  Trustworthy 


plAISV 


Downgrade  Procedures 
ensure  that  every 
^  message  from  High  to 
^  Low  be  Inspected  by  an 
operator  before 
downgrade 


Downgrade  Procedures 
ensure  that  only 
messages  containing  no 
High  information  may  be 
downgraded  to  Low 
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Update  Fields,  20,  38,  39 
Update  Tables,  20 
User  Guide,  28 

v 

Validate  Assumption,  16,  30,  31 
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